Embed Size (px)
Citation preview
Securing your Deployment Pipeline Strategy & Tech Talk - April 19, 2016
Maximilian Schöfmann | @schoefmann
Container Solutions Switzerland
www.container-solutions.com | [email protected]
B.C. (Before Continuous Integration)
homoabap-cobolusintegratingsoftwaremodules,ca.200000B.C
www.container-solutions.com | [email protected]
Avg: 103 days to fix a vulnerability
http://darkmatters.norsecorp.com/2015/06/09/security-vulnerabilities-take-average-of-103-days-to-remediate/
www.container-solutions.com | [email protected]
Stages of a delivery pipeline
Commit Integration Acceptance Release
www.container-solutions.com | [email protected]
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests
www.container-solutions.com | [email protected]
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests
www.container-solutions.com | [email protected]
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests UI tests
www.container-solutions.com | [email protected]
Stages of a delivery pipeline
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
www.container-solutions.com | [email protected]
Test pyramid
Unit Tests
Service Tests
UI tests
fast
er fe
edba
ck
conf
iden
ce
coverage
www.container-solutions.com | [email protected]
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
www.container-solutions.com | [email protected]
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static codeanalysis
www.container-solutions.com | [email protected]
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static codeanalysis
vulnerability scanning
www.container-solutions.com | [email protected]
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static codeanalysis
vulnerability scanning
end-to-end security tests
www.container-solutions.com | [email protected]
“AppSec Pipeline”
Commit Integration Acceptance Release
unit tests service tests UI tests (exploratory tests)
static codeanalysis
vulnerability scanning
end-to-end security tests
(penetration tests)
www.container-solutions.com | [email protected]
AppSec pyramid?
static code analysis
vulnerability scanning
E2E security tests
fast
er fe
edba
ck
conf
iden
ce
coverage
www.container-solutions.com | [email protected]
Challenge: False Positives
• maintain exception/fine tuning config for scanner
• run with sensitive heuristics nightly, then update config
• or branch to manual stage to check false positives
www.container-solutions.com | [email protected]
Static analysis
• SonarQube (multiple languages)
• Brakeman (Ruby/Rails)
• OWASP WAP (PHP)
• FindBugs (Java)
• FlawFinder (C/C++)
• … (many commercial, e.g. CHECKMARX)
www.container-solutions.com | [email protected]
Vulnerability scanners (many commercial)
• OWASP Zed Attack Proxy (ZAP)
• Burp suite
• Acunetix
• Nessus, OpenVAS
• Nikto
• w3af
• … (lots and lots more)
www.container-solutions.com | [email protected]
End to end security tests
• Standard tools like Selenium work well
• BDD-Security if you fancy text or want to integrate PO friendly E2E tests with vulnerability scans
continuumsecurity.net/bdd-intro.html
www.container-solutions.com | [email protected]
But…
• Too many!
• Too different!
• Too complex!
• Stuff to install (lots!)
• Stuff to configure…
www.container-solutions.com | [email protected]
But…
• Too many!
• Too different!
• Too complex!
• Stuff to install (lots!)
• Stuff to configure…
www.container-solutions.com | [email protected]
If we just had a way to package those tools uniformly…
www.container-solutions.com | [email protected]
If we just had a way to package those tools uniformly…
www.container-solutions.com | [email protected]
If we just had an easy way to connect scanners to apps…
www.container-solutions.com | [email protected]
If we just had an easy way to connect scanners to apps…
![[meetup] Docker Brasov #2files.meetup.com/19590550/BRASOV - Up Securing the... · [meetup] Docker Brasov #2 Securing the Software Supply Chain with Docker June 2016. ... Swarm HACK](https://img.dokumen.tips/doc/110x75/5ec57ebe3750743bd40087e2/meetup-docker-brasov-up-securing-the-meetup-docker-brasov-2-securing.jpg)
