The document discusses the DevOpsSec approach which aims to integrate security testing into the development process through automation. It outlines how DevOpsSec can help address issues that arise from the traditional separation of development and operations teams. The document provides examples of different types of tests that can be automated, such as unit testing, performance testing, and security testing of an application's attack surface. It promotes automating as many tests as possible and sharing test automation code to continuously monitor for vulnerabilities and issues.

1. My Little Webapp – DevOpsSec is Magic
Apollo Clark
@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic

3. About Me
• Originally from Maine
• Lived in Milwaukee, Chicago, Atlanta
• Web developers since 2001
• PHP, Python, Java, Perl, Visual Basic
• Kali Linux, Burpsuite, SQLMap, XSSer, etc.
• Got badly hacked in 2010, been learning since
• I like making good software

6. What if we could fix anything
in 10 minutes?

7. With DevOpsSec, you can!

8. How does it feel?

10. Prepare for a meme filled ride.

13. How do we do things today?

17. We need to build QA and security in.

18. What can we do?

23. Dev vs. Ops

25. Dev vs. Ops
• Devs are paid to change code, high entropy

26. Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy

27. Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability

28. Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability
• IE8 only supports loading 31 CSS files

29. "One line of code can break everything."

30. What do we do?

33. Climbing the Pyramid

36. Performance
• stress testing: "how many concurrent users?"

38. Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"

39. Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"

41. Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"

42. Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"

43. Don’t forget to DDoS yourself.

44. I like to DDoS myself on the weekends.

47. What we got:

49. What we want:

51. Code quality testing IS security testing.

52. Code Quality
• linting, correct formatting

54. Code Quality
• linting, correct formatting
• copy + paste, easily refactor

55. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target

57. 2^6 possible code pathways

58. 64 possible outcomes from 1 function.

59. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation

61. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions

62. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues

63. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness

64. Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness
• mocks, speed up testing

66. Unit Testing

68. Ready to try some Unit Testing?

70. Unit Testing
GET /users/<account_name>
• happy path: "aclark"
• missing entry: "aclark2"
• lower bounds: "a"
• upper bounds: "aaaaaaaaa"
• empty: "account_name" : ""
• null: (null)
• fuzzing: "a2$@o9(@1"

72. "a2$@o9(@1" eventually becomes "a or 1=1; --"

77. Supported

78. Supported
• define supported devices, resolutions,
browsers, and versions

79. You can’t support everything:

81. Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver

82. Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images

84. Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud

85. Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud

86. Try using unsupported systems. Hopefully fail
gracefully. Might even find something…

87. Hint: Try setting your browser User-Agent to iPhone 3.0
when visiting news websites :P

91. Deployable
• atomic base box VM

93. Deployable
• atomic base box VM
• provisioning scripts

95. Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.

96. Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list

98. Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup

100. Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup

104. My personal websites:

107. Monitoring
• request origin

108. If you’re a ‘Murican only company,
why are you letting your server talk
to Russia?

109. Monitoring
• request origin
• request scans

112. Monitoring
• request origin
• request scans
• invalid requests

114. Monitoring
• request origin
• request scans
• invalid requests
• request flood

116. Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood

118. Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime

119. Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency

120. Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load

121. Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load

122. My startup has < 100 users. It gets
scanned and attacked every day.

123. Your live servers are getting
hammered all the time.

127. Security
• what to test?

128. This is your attack surface:

132. Security
• what to test?
• how to test?

134. Security
• what to test?
• how to test?
• monitor issues

136. Security
• what to test?
• how to test?
• monitor issues
• aggregate reports

137. Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues

138. Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests

139. Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests

140. Give and request automated tests,
not PDF docs.

141. Write "Malicious User Stories"

143. IF YOU SEE
SOMETHING,
SAY SOMETHING.

144. ... but, at least write a test.

146. DevOpsSec is free, you can do it today.

147. Automation does not replace people.

149. Automation is people.

151. Repeat after me:

152. "I am DevOpsSec ..."

153. "... and so can you!"

155. Apollo Clark
@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
github.com/apolloclark/py-jenkins-ci