OWASP EEE, profile picture
Uploaded byOWASP EEE
PDF, PPTX472 views

[Poland] SecOps live cooking with OWASP appsec tools

This document outlines the agenda and demos for a presentation on securing the software delivery pipeline using open source security tools. The presentation covers setting up a continuous delivery pipeline using tools like Ansible, Jenkins and Docker to automate security testing with OWASP tools like ZAP and Dependency Check. It includes demos of manual testing with these tools, integrating them into a delivery pipeline using automation, and approaches like containerization to improve the speed and feedback loop of security testing. The overall goal is to discuss how to shorten software development cycles while maintaining security by automating testing within the delivery pipeline.

Embed presentation

Download as PDF, PPTX
SecOps live cooking with OWASP appsec tools Maciej Lasyk OWASP EEE – Kraków 2015-10-06
Join Fedora Infrastructure! → learn Ansible → join the security team! → use Fedora Security Lab (spin) http://fedoraproject.org/en/join-fedora
Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline
Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline
Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline
Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline
Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline
DEV INTEGRATION TEST PROD Delivery Pipeline & security testing
DEV INTEGRATION TEST PROD Feedback loop! Delivery Pipeline!
DEV INTEGRATION TEST PROD Feedback loop! Delivery Pipeline! → UAT → Performance → Security
DEV INTEGRATION TEST containers PROD Feedback loop! Delivery Pipeline! → UAT → Performance → Security Experimentation gives you improvements! Continuous security scanning
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
→ shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!
Manual testing demo #1 OWASP webgoat, OWASP hackademic story test-app vs OWASP ZAP
Manual testing demo #1 OWASP webgoat, OWASP hackademic story test-app vs OWASP ZAP
Manual testing demo #2 Fedora Pagure vs OWASP Dependency Check
Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)
Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)
Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)
Automation demo #1 Installing Jenkins w/Ansible
Linux Containers - Docker → Docker? → Docker Registry
Linux Containers - Docker → Docker? → Docker Registry
Automation demo #2 OWASP ZAP && Dependency Check + Docker
Automation demo #3 OWASP ZAP && Dependency Check + Docker + Jenkins
Automation demo #4 Containerization of security tools
Docker inside Docker? Pros and cons
Automation demo #5 What about false positives / negatives?
Automation demo #6 Full delivery pipeline
Summary Should we replace classical pentests with automation?
SecOps live cooking with OWASP appsec tools Maciej Lasyk OWASP EEE – Kraków 2015-10-06

More Related Content

PDF
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
byPuppet
 
PDF
Vagrant - the essence of DevOps in a tool
byPaul Stack
 
PDF
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
byDevSecCon
 
PDF
LasCon 2014 DevOoops
byChris Gates
 
PDF
FrenchKit 2017: Server(less) Swift
byChris Bailey
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PPTX
OpenStack Contribution Workflow
bySean McGinnis
 
PPTX
Tests your pipeline might be missing
byGene Gotimer
 
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
byPuppet
 
Vagrant - the essence of DevOps in a tool
byPaul Stack
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
byDevSecCon
 
LasCon 2014 DevOoops
byChris Gates
 
FrenchKit 2017: Server(less) Swift
byChris Bailey
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
OpenStack Contribution Workflow
bySean McGinnis
 
Tests your pipeline might be missing
byGene Gotimer
 

What's hot

PPTX
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
byDevSecCon
 
PDF
How to successfully migrate to Bazel from Maven or Gradle - Riga Dev Days
byNatan Silnitsky
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
PPTX
CI/CD Pipeline to Deploy and Maintain an OpenStack IaaS Cloud
bySimon McCartney
 
PPTX
CI/CD for React Native
byJoao Marins
 
PDF
Rise of the Machines - Automate your Development
bySven Peters
 
PDF
Open Canary - novahackers
byChris Gates
 
PDF
Releasing the monolith on a daily basis - CodeMash
byVincent Kok
 
PDF
Arquillian : An introduction
byVineet Reynolds
 
PDF
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
byOntico
 
PPTX
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
byOmer van Kloeten
 
PDF
Microservices testing in distributed systems
byIsa Vilacides
 
PDF
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
byDevSecCon
 
PPTX
InSpec Workshop DevSecCon 2017
byMandi Walls
 
PPTX
OpenSlava 2015 When DevOps Hurts
byAntons Kranga
 
PDF
CI CD Basics
byPrabhu Ramkumar
 
PDF
Badge Poser v3.0 - A DevOps Journey
byFabio Cicerchia
 
PDF
Your first patch to open stack
byAkanksha Agrawal
 
PPTX
AWS Survival Guide
byKen Johnson
 
PDF
Live Testing A Legacy App
byColdFusionConference
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
byDevSecCon
 
How to successfully migrate to Bazel from Maven or Gradle - Riga Dev Days
byNatan Silnitsky
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
CI/CD Pipeline to Deploy and Maintain an OpenStack IaaS Cloud
bySimon McCartney
 
CI/CD for React Native
byJoao Marins
 
Rise of the Machines - Automate your Development
bySven Peters
 
Open Canary - novahackers
byChris Gates
 
Releasing the monolith on a daily basis - CodeMash
byVincent Kok
 
Arquillian : An introduction
byVineet Reynolds
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
byOntico
 
Power Up Your Build - Omer van Kloeten @ Wix 2018-04
byOmer van Kloeten
 
Microservices testing in distributed systems
byIsa Vilacides
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
byDevSecCon
 
InSpec Workshop DevSecCon 2017
byMandi Walls
 
OpenSlava 2015 When DevOps Hurts
byAntons Kranga
 
CI CD Basics
byPrabhu Ramkumar
 
Badge Poser v3.0 - A DevOps Journey
byFabio Cicerchia
 
Your first patch to open stack
byAkanksha Agrawal
 
AWS Survival Guide
byKen Johnson
 
Live Testing A Legacy App
byColdFusionConference
 

Viewers also liked

PDF
AppSec Pipelines and Event based Security
byMatt Tesauro
 
PDF
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
byDinis Cruz
 
PPTX
Dependency check
byDavid Karlsen
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 
PDF
Managing third party libraries
byn|u - The Open Security Community
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
byAjin Abraham
 
PDF
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01
byCyber Security Alliance
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
PDF
AppSec is Eating Security
byAlex Stamos
 
ODP
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
PPTX
Managing Security in External Software Dependencies
bythariyarox
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
byThreat Stack
 
PPTX
Continuous Security - TCCC
byWendy Istvanick
 
PDF
[Russia] Bugs -> max, time <= T
byOWASP EEE
 
PPTX
Live 2014 Survey Results: Open Source Development and Application Security Su...
bySonatype
 
PPTX
News Bytes - December 2015
byn|u - The Open Security Community
 
PDF
27 jan 2012[1]
byBiblioteca Escolar Aeob
 
AppSec Pipelines and Event based Security
byMatt Tesauro
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
byDinis Cruz
 
Dependency check
byDavid Karlsen
 
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 
Managing third party libraries
byn|u - The Open Security Community
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
byAjin Abraham
 
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01
byCyber Security Alliance
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
AppSec is Eating Security
byAlex Stamos
 
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
Managing Security in External Software Dependencies
bythariyarox
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
byThreat Stack
 
Continuous Security - TCCC
byWendy Istvanick
 
[Russia] Bugs -> max, time <= T
byOWASP EEE
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
bySonatype
 
News Bytes - December 2015
byn|u - The Open Security Community
 
27 jan 2012[1]
byBiblioteca Escolar Aeob
 

Similar to [Poland] SecOps live cooking with OWASP appsec tools

ODP
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
PDF
Automating OWASP Tests in your CI/CD
byrkadayam
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
PDF
Continuous Security Testing
byRay Lai
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PPTX
Security Testing for Containerized Applications
bySoluto
 
PPTX
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PPTX
Perforce on Tour 2015 - Grab Testing By the Horns and Move
byPerforce
 
PDF
DevSecOps: The Open Source Way
byGordon Haff
 
PDF
Including security in devops
byJérémy Matos
 
PPTX
WinOps Conf 2016 - Michael Greene - Release Pipelines
byWinOps Conf
 
PPTX
Securing the continuous integration
byIrene Michlin
 
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
Automating OWASP Tests in your CI/CD
byrkadayam
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
Continuous Security Testing
byRay Lai
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
Pragmatic Pipeline Security
byJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
Making security-agile matt-tesauro
byMatt Tesauro
 
Security Testing for Containerized Applications
bySoluto
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
byPerforce
 
DevSecOps: The Open Source Way
byGordon Haff
 
Including security in devops
byJérémy Matos
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
byWinOps Conf
 
Securing the continuous integration
byIrene Michlin
 

More from OWASP EEE

PPTX
[Austria] How we hacked an online mobile banking Trojan
byOWASP EEE
 
PDF
[Lithuania] I am the cavalry
byOWASP EEE
 
PDF
[Austria] Security by Design
byOWASP EEE
 
PDF
[Lithuania] DigiCerts and DigiID to Enterprise apps
byOWASP EEE
 
PDF
[Russia] MySQL OOB injections
byOWASP EEE
 
PDF
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
byOWASP EEE
 
PDF
[Cluj] Information Security Through Gamification
byOWASP EEE
 
PDF
[Russia] Building better product security
byOWASP EEE
 
PDF
[Hungary] Survival is not mandatory. The air force one has departured are you...
byOWASP EEE
 
PDF
[Poland] It's only about frontend
byOWASP EEE
 
PDF
[Cluj] CSP (Content Security Policy)
byOWASP EEE
 
PDF
[Russia] Node.JS - Architecture and Vulnerabilities
byOWASP EEE
 
PPTX
[Cluj] Turn SSL ON
byOWASP EEE
 
PDF
[Austria] ZigBee exploited
byOWASP EEE
 
PPTX
[Hungary] I play Jack of Information Disclosure
byOWASP EEE
 
PDF
[Bucharest] Your intents are dirty, droid!
byOWASP EEE
 
PDF
[Lithuania] Introduction to threat modeling
byOWASP EEE
 
PDF
[Hungary] Secure Software? Start appreciating your developers!
byOWASP EEE
 
PDF
[Russia] Give me a stable input
byOWASP EEE
 
PDF
[Cluj] A distributed - collaborative client certification system
byOWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
byOWASP EEE
 
[Lithuania] I am the cavalry
byOWASP EEE
 
[Austria] Security by Design
byOWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
byOWASP EEE
 
[Russia] MySQL OOB injections
byOWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
byOWASP EEE
 
[Cluj] Information Security Through Gamification
byOWASP EEE
 
[Russia] Building better product security
byOWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
byOWASP EEE
 
[Poland] It's only about frontend
byOWASP EEE
 
[Cluj] CSP (Content Security Policy)
byOWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
byOWASP EEE
 
[Cluj] Turn SSL ON
byOWASP EEE
 
[Austria] ZigBee exploited
byOWASP EEE
 
[Hungary] I play Jack of Information Disclosure
byOWASP EEE
 
[Bucharest] Your intents are dirty, droid!
byOWASP EEE
 
[Lithuania] Introduction to threat modeling
byOWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
byOWASP EEE
 
[Russia] Give me a stable input
byOWASP EEE
 
[Cluj] A distributed - collaborative client certification system
byOWASP EEE
 

Recently uploaded

PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PPTX
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 

[Poland] SecOps live cooking with OWASP appsec tools