Soluto, profile picture
Uploaded bySoluto
PPTX, PDF270 views

Security Testing for Containerized Applications

The document discusses security testing for containerized applications. It outlines different layers of containerized apps including code, dependencies, and Docker images. It then describes various security testing techniques that can be applied to each layer, including static analysis tools for code scanning, dependency scanning, and Docker image scanning. It also covers dynamic/runtime testing using passive and active scanning with tools like OWASP Zap. The document advocates building these security tests into the CI/CD pipeline and only deploying container images that pass all tests through a process of image certification. It demonstrates some of these techniques on a sample Lolcode application.

Embed presentation

Downloaded 12 times
Join the conversation #DevSecCon Security Testing for Containerized Apps @omerlh @SolutoEng
http://lolcode.org/
- Helping people get the most out of their technology https://www.solutotlv.com/
You Can’t Do it Alone
Letting Go Responsibly AppSec @ Soluto: ● Threat Modeling ● Empowering ● Education ● Automation
Our Quest: Securing Containerized Apps
Code Dependencies Docker Image Layers of Containerized App
What kind of security tests? ● Static ● Dynamic ● Integrated (which will be ignored) By Using ONLY FOSS tools
Static Analysis
What? ● Scanning static assets (e.g. source code) ● Language aware ● Different Tools for different layer ● Point where is the issue Code Dependencies Docker Image
Code Layer ● Scan the code for vulnerabilities ● Different tools for different languages ● Bandit – Python ● Brakeman – Ruby on Rails ● Find Security Bug - Java ● TSLint - TypeScript ● OWASP Source Code Analyzers list Code Dependencies Docker Image
Example https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
Dependencies Layer ● 3rd party code used by the app ● Usually installed by a package manager ● PyPi, Gem, NuGet, NPM ● Each dependency might include known vulnerability ● OWASP Top 10 A9 ● OWASP Dependency Track Code Dependencies Docker Image
https://snyk.io/stateofossecurity/
NPQ
Docker Image Layer ● Contains the “OS” ● 3rd party software installed ● App engine (NodeJS/.NET Core etc) ● Each one could contain known vulnerabilities ● Multiple open source solutions ● Clair, Anchore, OWASP Dependency Track Code Dependencies Docker Image
https://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf
Playing with Anchore-Engine
Dynamic Analysis
What? ● Scanning live app ● Language agnostic, protocol aware ● Only detect issues, not what cause to them ● Simple by using OWASP Zap ● Passive ● Active ● Leveraging Docker for local run Code Dependencies Docker Image
Passive Scan ● Proxy black box tests ● Scan HTTP requests/responses ● HTTP static analysis ● Looks for security issues ● Fast, not risky Code Dependencies Docker Image
Active Scan ● Discover all endpoint ● Craft malicious requests ● Test that the server can handle those request ● Slow, could cause damage Code Dependencies Docker Image
Bringing it All Together
Building our CI/CD Pipeline ❑ Break the build or it didn’t happen ❑ False positives ❑ Keep it DRY ❑ Ownership
Let’s add some Glue The ”DevSecOps Tool”
Building our CI/CD Pipeline ✓ Break the build or it didn’t happen ✓ False positives ✓ Keep it DRY ✓ Ownership
Image Certification Only images that passed all the tests should be used on production ● Build dependency ● Image labels ● Image signing ● Image policy
What we have @ Soluto? ● Static analysis ✓ Source code scan ❑ Dependencies scan (in progress) ❑ Image scan ● Dynamic analysis ✓ Passive ❑ Active (in progress)
Demo Time All the code is on GitHub
Testing LolCode App ● Static analysis? ✕ Nothing for source code ✕ No package manager (which is good?) ❑ Image scanning ● Dynamic analysis ✓ Passive ❑ Active
Let’s see it Live! Hope it will work … else I’ll show you slides with screenshots 
Wrapping Up
What we discussed ● Layers of Containerized Applications ● Kind of Tests & FOSS Tools ○ Static (OWASP Dependency Track) ○ Dynamic (OWASP Zap) ● Building the pipeline ○ OWASP Glue ○ Image Certification
Where Do I Start?
Our Quest: Securing Containerized Apps
Questions?
Resources • TechBeacon: Security Tests for Containarized Applications • Guide: Dynamic Security Testing with OWASP Zap • Post: Dynamic Security Testing Made Easy • Slides: Getting Started with OWASP Glue
Join the conversation #DevSecCon Thank You! @omerlh @SolutoEng

More Related Content

PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
DevSecOps : The Open Source Way by Yusuf Hadiwinata
byHananto Wibowo Soenarto
 
PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
PDF
Dev secops. Real experience.
byVitaly Balashov
 
PPTX
Dev secops security and compliance at the speed of continuous delivery - owasp
byDag Rowe
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
byHananto Wibowo Soenarto
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
Dev secops. Real experience.
byVitaly Balashov
 
Dev secops security and compliance at the speed of continuous delivery - owasp
byDag Rowe
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 

What's hot

PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
PPTX
DevSecOps
byCheah Eng Soon
 
PPTX
DevSecOps OWASP
byPriyanka Raghavan
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PPTX
Owasp glue
bySoluto
 
PDF
Painless DevSecOps: Building Security Into Your DevOps Pipeline
byTasktop
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PPT
Code Quality - Security
bysedukull
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPTX
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
PDF
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
byAbdessamad TEMMAR
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
DevSecOps
byCheah Eng Soon
 
DevSecOps OWASP
byPriyanka Raghavan
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Owasp glue
bySoluto
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
byTasktop
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
Code Quality - Security
bysedukull
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevSecOps reference architectures 2018
bySonatype
 
DevSecOps - The big picture
byStefan Streichsbier
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
byAbdessamad TEMMAR
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 

Similar to Security Testing for Containerized Applications

PDF
Docker in Production: How RightScale Delivers Cloud Applications
byRightScale
 
PDF
DCSF 19 Building Your Development Pipeline
byDocker, Inc.
 
PPTX
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
byDaniel Bryant
 
PPTX
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
byCodemotion
 
PPTX
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
byOpenCredo
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PDF
Continuous Security Testing
byRay Lai
 
PDF
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
PPTX
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
byDaniel Bryant
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PPTX
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
byDaniel Bryant
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
PDF
Why Should Developers Care About Container Security?
byAll Things Open
 
PPTX
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
byDaniel Bryant
 
PPTX
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
byDaniel Bryant
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
Why should developers care about container security?
byEric Smalling
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
byEric Smalling
 
Docker in Production: How RightScale Delivers Cloud Applications
byRightScale
 
DCSF 19 Building Your Development Pipeline
byDocker, Inc.
 
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
byDaniel Bryant
 
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
byCodemotion
 
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
byOpenCredo
 
Pragmatic Pipeline Security
byJames Wickett
 
Continuous Security Testing
byRay Lai
 
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
byDaniel Bryant
 
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
byDaniel Bryant
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
Why Should Developers Care About Container Security?
byAll Things Open
 
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
byDaniel Bryant
 
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
byDaniel Bryant
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Why should developers care about container security?
byEric Smalling
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
byEric Smalling
 

More from Soluto

PPTX
Solving trust issues at scale - AppSec California
bySoluto
 
PPTX
Solving trust issues at scale
bySoluto
 
PPTX
Things I wish someone had told me about Istio, Omer Levi Hevroni
bySoluto
 
PPTX
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
bySoluto
 
PPTX
FTRD - Can Kubernetes Keep a Secret?
bySoluto
 
PPTX
The Dark Side of Monitoring
bySoluto
 
PPTX
Hacking like a FED
bySoluto
 
PPTX
Monitoria@Icinga camp berlin
bySoluto
 
PPTX
Can Kubernetes Keep a Secret?
bySoluto
 
PPTX
Kamus intro
bySoluto
 
PPTX
Secure Your Pipeline
bySoluto
 
PDF
React new features and intro to Hooks
bySoluto
 
PPTX
Secure the Pipeline - OWASP Poland Day 2018
bySoluto
 
PDF
Monitoria@reversim
bySoluto
 
PPTX
Languages don't matter anymore!
bySoluto
 
PPTX
Unify logz with fluentd
bySoluto
 
PPTX
Storing data in Redis like a pro
bySoluto
 
PPTX
Monitor all the thingz slideshare
bySoluto
 
PPTX
Authentication without Authentication - AppSec California
bySoluto
 
PPTX
Authentication without Authentication - Peerlyst meetup
bySoluto
 
Solving trust issues at scale - AppSec California
bySoluto
 
Solving trust issues at scale
bySoluto
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
bySoluto
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
bySoluto
 
FTRD - Can Kubernetes Keep a Secret?
bySoluto
 
The Dark Side of Monitoring
bySoluto
 
Hacking like a FED
bySoluto
 
Monitoria@Icinga camp berlin
bySoluto
 
Can Kubernetes Keep a Secret?
bySoluto
 
Kamus intro
bySoluto
 
Secure Your Pipeline
bySoluto
 
React new features and intro to Hooks
bySoluto
 
Secure the Pipeline - OWASP Poland Day 2018
bySoluto
 
Monitoria@reversim
bySoluto
 
Languages don't matter anymore!
bySoluto
 
Unify logz with fluentd
bySoluto
 
Storing data in Redis like a pro
bySoluto
 
Monitor all the thingz slideshare
bySoluto
 
Authentication without Authentication - AppSec California
bySoluto
 
Authentication without Authentication - Peerlyst meetup
bySoluto
 

Recently uploaded

PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 

Security Testing for Containerized Applications

Editor's Notes

  • #2 Thank the organizers Who here is doing AppSec for her living? Who here is willing to help me with code review?
  • #4 How we help with technology
  • #10 Emphasis this is the plan we started with, and it’s WIP
  • #13 https://www.owasp.org/index.php/Source_Code_Analysis_Tools
  • #14 A real example of timing attack due to insecure equals Something easy to miss, but easy to spot using static analysis We had real issue at Soluto that caught by using TSLint 
  • #16 Show how many packages available Say something about the rise
  • #21 Specify that not use it for now
  • #28 Openapi/swagger