The document discusses securing the software deployment pipeline. It describes the evolution from separate development and operations teams to integrated DevOps practices using continuous delivery. Continuous delivery allows for faster reaction times to issues like security vulnerabilities, which typically take over 100 days to fix. The document advocates for implementing security practices like static code analysis, vulnerability scanning, and end-to-end security testing at each stage of the software delivery pipeline to find and fix issues early. It notes challenges in current tools being numerous, complex to configure and install. Containerizing these tools is presented as a solution to standardize and simplify their use in the pipeline.

1. Securing your
Deployment
Pipeline
Strategy & Tech Talk - April 19, 2016
Maximilian Schöfmann | @schoefmann
Container Solutions Switzerland

2. www.container-solutions.com | info@container-solutions.com
B.C. (Before Continuous Integration)

3. www.container-solutions.com | info@container-solutions.com
B.C. (Before Continuous Integration)
homo abap-cobolus integrating software modules, ca. 200000 B.C

4. www.container-solutions.com | info@container-solutions.com
A.D. - but Pre-DevOps (CI only)

5. www.container-solutions.com | info@container-solutions.com
DevOps (present time)

6. www.container-solutions.com | info@container-solutions.com
DevOps + Continuous Delivery + PaaS

7. www.container-solutions.com | info@container-solutions.com
… and Security

8. www.container-solutions.com | info@container-solutions.com
Avg: 103 days to fix a vulnerability
http://darkmatters.norsecorp.com/2015/06/09/security-vulnerabilities-take-average-of-103-days-to-remediate/

9. www.container-solutions.com | info@container-solutions.com
CD improves reaction time!

10. www.container-solutions.com | info@container-solutions.com
So we need to:

11. www.container-solutions.com | info@container-solutions.com
…with better tooling!

12. www.container-solutions.com | info@container-solutions.com
Stages of a delivery pipeline
Commit Integration Acceptance Release

13. www.container-solutions.com | info@container-solutions.com
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests

14. www.container-solutions.com | info@container-solutions.com
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests

15. www.container-solutions.com | info@container-solutions.com
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests UI tests

16. www.container-solutions.com | info@container-solutions.com
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)

17. www.container-solutions.com | info@container-solutions.com
Test pyramid
Unit Tests
Service Tests
UI tests
fasterfeedback
confidence
coverage

18. www.container-solutions.com | info@container-solutions.com
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)

19. www.container-solutions.com | info@container-solutions.com
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static code
analysis

20. www.container-solutions.com | info@container-solutions.com
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static code
analysis
vulnerability
scanning

21. www.container-solutions.com | info@container-solutions.com
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static code
analysis
vulnerability
scanning
end-to-end
security tests

22. www.container-solutions.com | info@container-solutions.com
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static code
analysis
vulnerability
scanning
end-to-end
security tests
(penetration
tests)

23. www.container-solutions.com | info@container-solutions.com
AppSec pyramid?
static code analysis
vulnerability
scanning
E2E
security tests
fasterfeedback
confidence
coverage

24. www.container-solutions.com | info@container-solutions.com
Challenge: False Positives
• maintain exception/fine tuning config for scanner
• run with sensitive heuristics nightly, then update config
• or branch to manual stage to check false positives

25. www.container-solutions.com | info@container-solutions.com
Static analysis
• SonarQube (multiple languages)
• Brakeman (Ruby/Rails)
• OWASP WAP (PHP)
• FindBugs (Java)
• FlawFinder (C/C++)
• … (many commercial, e.g. CHECKMARX)

26. www.container-solutions.com | info@container-solutions.com
Vulnerability scanners (many commercial)
• OWASP Zed Attack Proxy (ZAP)
• Burp suite
• Acunetix
• Nessus, OpenVAS
• Nikto
• w3af
• … (lots and lots more)

27. www.container-solutions.com | info@container-solutions.com
End to end security tests
• Standard tools like Selenium work well
• BDD-Security if you fancy text or want to integrate PO
friendly E2E tests with vulnerability scans
continuumsecurity.net/bdd-intro.html

28. www.container-solutions.com | info@container-solutions.com
more…
owasp.org/index.php/Appendix_A:_Testing_Tools

29. www.container-solutions.com | info@container-solutions.com
But…
• Too many!
• Too different!
• Too complex!
• Stuff to install (lots!)
• Stuff to configure…

30. www.container-solutions.com | info@container-solutions.com
But…
• Too many!
• Too different!
• Too complex!
• Stuff to install (lots!)
• Stuff to configure…

31. www.container-solutions.com | info@container-solutions.com
And what about…

32. www.container-solutions.com | info@container-solutions.com
If we just had a way to package those tools uniformly…

33. www.container-solutions.com | info@container-solutions.com
If we just had a way to package those tools uniformly…

34. www.container-solutions.com | info@container-solutions.com
Demo: Static analysis

35. www.container-solutions.com | info@container-solutions.com
If we just had an easy way to connect scanners to apps…

36. www.container-solutions.com | info@container-solutions.com
If we just had an easy way to connect scanners to apps…

37. www.container-solutions.com | info@container-solutions.com
Demo: Vulnerability scanners

38. www.container-solutions.com | info@container-solutions.com
If there was just a way to scale those tests…

39. www.container-solutions.com | info@container-solutions.com
If there was just a way to scale those tests…

40. maximilian.schoefmann@container-solutions.com | @schoefmann
container-solutions.com