Embed Size (px)
Citation preview
1 © Copyright 2013 Coveros, Inc. All rights reserved.
Gene Gotimer, Senior Architect [email protected]
2 © Copyright 2013 Coveros, Inc. All rights reserved.
Coveros helps organizations accelerate the delivery of business value through secure, reliable software
About Coveros
3 © Copyright 2013 Coveros, Inc. All rights reserved.
Security Testing
Late in the cycle Issues are not remediated Needs ROI: lower cost, better results, or both
4 © Copyright 2013 Coveros, Inc. All rights reserved.
Security Testing
Consider open-source and free tools Opportunities in Continuous Delivery and Cloud
Identify low effort opportunities using free and open-source tools
5 © Copyright 2013 Coveros, Inc. All rights reserved.
Continuous Integration
Merge work frequently Code commits to source control Unit tests run automatically No long integration cycle at the end Fix code when we find problems Build-Test-Commit cycle = rapid feedback
6 © Copyright 2013 Coveros, Inc. All rights reserved.
Continuous Delivery
Every build potentially releasable Release is a business decision Extrapolation of Continuous Integration
– Deploys – Functional tests – Load and performance tests – Security tests
Build-Test-Commit-Deploy-Test-Release cycle
7 © Copyright 2013 Coveros, Inc. All rights reserved.
Cloud Computing
Can’t wait for long procurement Public or Private clouds Works well with Continuous Delivery
– Easy to deploy – New environments whenever
8 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
9 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
10 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
11 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis
Unit Tests: – Confidence to make changes – Error handling – General logic errors – Bounds checking – Edge conditions
12 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis
Static Analysis: – Common errors – Unused variables – SQL injection – Cross-Site Scripting (XSS) – Hard-coded passwords
13 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis Unit testing:
JUnit for Java NUnit for .Net PyUnit for Python PHPUnit for PHP
Static Analysis: Sonar for many languages PMD for Java FindBugs for Java PHPMD for PHP FxCop for .Net PyChecker for Python pylint for Python
14 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
15 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
Automated Deploys: – Frequent security scans – Rapid feedback – Web application scanners: w3af wapiti Skipfish
– Start basic, add tuning
16 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
Functional Testing: – Access control – Data protection – Web Application testing: Selenium
17 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
Proxies: – Better coverage – XSS and Cross-Site Request Forgery (XSRF) – URLs for logs to augment spidering – Data leakage – Web application proxies: OWASP Zed Attack Proxy (ZAP) Project OWASP WebScarab Ratproxy
18 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
19 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 3: Automated Configuration Management
Deployment/Configuration: Puppet Chef
Provisioning: Cobbler Kickstart Windows Deployment Services
Completely new systems or build on templates Repeatable configuration management
20 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 3: Automated Configuration Management
Complete system scans OpenVAS Nmap Nikto2
21 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
22 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 4: Cloud Deployments
On-demand environments – Long running scans in parallel – Production-sized machines, even temporarily – Failover and high-availability
Multiple client systems in parallel – Race conditions – Multi-user interactions
23 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 4: Cloud Deployments
Web performance testing frameworks: Apache Jmeter: Java-based UI
• HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP, POP, IMAP
ab, ApacheBench: command-line The Grinder: Jython and Clojure Gatling: Scala
24 © Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
25 © Copyright 2013 Coveros, Inc. All rights reserved.
Level 5: Continuous Delivery
Release ready for production Continuous deployment High levels of automation Dashboards
– Custom development
26 © Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
Agile development grew into Continuous Delivery Automated deploys with Puppet Selenium functional tests JMeter performance tests
27 © Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
Security testing lagged Excuses:
– The “official” tool is expensive. – It would take a lot of time to acquire and then to
configure it. – We don’t have time. – It isn’t our responsibility. – The security team wouldn’t accept our scans anyway.
Open-source tools Focus on security, not compliance Limited time
28 © Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
Web application scans with w3af Vulnerability assessments with OpenVAS Security standards checks with Openscap Initial implementation ~ a day each No more freebies
29 © Copyright 2013 Coveros, Inc. All rights reserved.
Conclusion
Earlier security testing – Less likely to skip – More likely to remediate
Open-source tools Other testing as foundation Gradually add more security tests Continuous Delivery and Cloud Computing give security
testing opportunities
30 © Copyright 2013 Coveros, Inc. All rights reserved.
Questions?
Gene Gotimer Email: [email protected] Twitter: @CoverosGene
