add security testing tools to your delivery pipeline

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene

Add Security Testing Tools to Your Delivery

PipelineGene Gotimer

Senior Architect

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene

About Coveros• Coveros builds security-critical applications using agile methods.• Coveros Services• Agile transformations• Agile development and testing• DevOps and continuous integration• Application security analysis

• Agile & Security training• Government qualifications• DCAA approved rates and accounting• TS facility clearance

Areas of Expertise

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene

Select Clients

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene

Security Testing

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene

Information Security• Information security means protecting information and information

systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

• The key concepts of information security include:• Confidentiality• Integrity• Availability• + Authenticity• + Non-Repudiation

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene

Security Testing• Often put off until late or ignored completely

Fix security issues and delay

release?

Release on time and accept

security risks?

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene

Return on Investment

“Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.”

-- Bruce Schneier, Schneier on Security

https://www.schneier.com/blog/archives/2008/09/security_roi_1.html

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene

Security in the Delivery Pipeline

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene

Security Tools

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

-- Bruce Schneier, Secrets & Lies

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene

Security Testing Process

1. Use tools to help detect the obvious security problems2. Remediate3. Search for less obvious security problems4. Repeat

Better security process

Fewer obvious security issues Better security

Time to find less obvious

security issues

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene

Incorporate Security Testing

Do just enough of each type of testing

early in the pipeline to determine if

further testing is justified.

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene

Tools to Consider Adding to the

Process

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene

It is easier to protect less

mvn dependency:tree

mvn dependency:analyze

mvn com.ning.maven.plugins:maven-dependency-versions-check-plugin

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene

Poor quality code is harder to maintain

… and harder to secure

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene

Make sure your tests actually testMutation testing

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene

Keep libraries up-to-date

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene

Negative testing

User role testing… what should users not be able to do?

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene

Use a proxy

OWASP ZAP… and piggy-back on functional tests

passive proxyactive scanner

fuzzer

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene

Repeatable, reliable deployments… and test that through practice

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene

Audit yourself

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene

Scan the web application

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene

Scan the web server configuration

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene

Scan the system… before and after installing software

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 24@CoverosGene

Scan all the systems… don’t forget the infrastructure

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 25@CoverosGene

Keep packages up-to-date

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 26@CoverosGene

Test performance… even if you just watch the trends

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 27@CoverosGene

Test the database… for security and performance

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 28@CoverosGene

Protect against hackers … even on development and test systems

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 29@CoverosGene

Continuously improve

A little better is still better.

Keep improving.

… and don’t expect perfectly secure

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 30@CoverosGene

Find more tools

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 31@CoverosGene

Questions?

Gene Gotimergene.gotimer@coveros.com

@CoverosGene