how to integrate appsec testing into your devops program

© 2017 IBM & Denim Group – All Rights Reserved

How to Integrate AppSec Testing into

Your DevOps ProgramDan Cornell, Denim GroupMichael Smith, IBM SecurityAlexei Pivkine, IBM Security

© 2017 IBM & Denim Group – All Rights Reserved

Agenda• AppSec & DevOps

• Turning Concepts Into Reality

• Demo

• Q&A Session

© 2017 IBM & Denim Group – All Rights Reserved

Application Security and DevOps

© 2017 IBM & Denim Group – All Rights Reserved

DevOps Is Here

© 2017 IBM & Denim Group – All Rights Reserved

Some Security Teams Will Adapt

(& Others Will Not)

4

© 2017 IBM & Denim Group – All Rights Reserved

Use This Transition to Your Advantage

5

© 2017 IBM & Denim Group – All Rights Reserved

Move Security to the Left and Obtain Buy-In

6

© 2017 IBM & Denim Group – All Rights Reserved

Better Security Insight, More Often

7

© 2017 IBM & Denim Group – All Rights Reserved

What Do Application Security Auditors Want?

• Reduce Risk Exposure

• Introduce Fewer Vulnerabilities

• Find Vulnerabilities Early

• Fix Vulnerabilities Quickly

8

© 2017 IBM & Denim Group – All Rights Reserved

What Do DevOps Teams Want?

9

© 2017 IBM & Denim Group – All Rights Reserved

How Do We Make This a Reality?

10

© 2017 IBM & Denim Group – All Rights Reserved

Application Security Testing in CI/CD Pipelines

11

© 2017 IBM & Denim Group – All Rights Reserved

Testing Tradeoffs

12

Coverage vs. SpeedDepth vs. Ease of understandingFalse negatives vs. False positives

© 2017 IBM & Denim Group – All Rights Reserved

Focus for CI/CD Testing• Tune to find important vulnerabilities

• Focus on high-risk issues (high-severity & easy to exploit)

• Tune to avoid false positives• False positives erode the trust of development teams• Even at the risk of false negatives

• Tune to run quickly• Focus on areas of the application that were changed

• Pair this with a multi-layered scan approach• Run a broader security scan outside of a CI/CD pipeline on a recurring basis

(e.g. nightly, weekly), to catch any important issues that might have been missed• Similar to regression tests in functional testing

© 2017 IBM & Denim Group – All Rights Reserved

Decision-Making Factors

14

Should we fail the build or block the

release?

© 2017 IBM & Denim Group – All Rights Reserved

Reporting & Remediation• Leverage existing tools, such as defect tracking systems (e.g. JIRA)

• Provide developers with interactive issue information

• Establish remediation SLAs & follow-up on issues that are overdue

• Avoid using these…

15

© 2017 IBM & Denim Group – All Rights Reserved

Turning concepts into reality

© 2017 IBM & Denim Group – All Rights Reserved

IBM Security AppScan Enterprise overview

• Highly-scalable Dynamic Analysis Security Testing (DAST) for web apps & web services

• Find highest-risk application security issues quickly & easily!

• Seamless integration into DevOps pipeline, via proven DAST automation capabilities

17

© 2017 IBM & Denim Group – All Rights Reserved

• Works over HTTP(S) like a “hacker-in-a-box”

• Leverages existing functional tests in order to focus on the changes and enable good coverage and fast scanning

• Provides a comprehensive set of REST APIs to fully automate DAST scans and enable product integrations

18

IBM AppScan Enterprise overview

© 2017 IBM & Denim Group – All Rights Reserved

ResultsTestExplore

Steps of a DAST ScanConfigure

Create a scan: Small set of pre-defined

templates based on…

Application risk

Test Policies, etc.

19

Spider through the application

Manual Explore

Automatic explore

Scan time will depend on size of the test

policy and web

pages/services to be

scanned.

AppScan captures HTTP traffic generated by functional tests via a custom proxy and then uses that traffic as training data for security scan.

Manual explore enables quick & focused scans.Automatic explore allows for broad & comprehensive scans.

AppScan Enterprise provides a web UI & a

comprehensive set of

REST API and enables

flexible reporting and

remediation options.

© 2017 IBM & Denim Group – All Rights Reserved

DAST in the SDLC• Goals of bringing DAST into the SDLC are very different

from traditional DAST analysis that’s performed by security team.

• Key focus is on catching the highest-priority issues and getting them fixed quickly and with minimal overhead.

• AppScan Enterprise DAST within the SDLC is complementary to anything and everything the security team is already doing with DAST.

© 2017 IBM & Denim Group – All Rights Reserved

DAST Automation• DAST scans can be fully automated and provide good scan coverage and

result sets at the same time.

• IBM AppScan Enterprise scans can be created and configured either manually or fully automated. The more automated other functional testing and the overall process already is, the more automated DAST security scans can be.

• Layered scans are usually the best way to balance coverage/findings, frequency of scans and ease of use.

• Quick frequent scans look for critical easy-to-find issues, running nightly or even multiple times a day.

• They are combined with less frequent deeper scans, perhaps even with some manual validation. These types of scans can happen once a week, once a sprint, at QA time, etc.

© 2017 IBM & Denim Group – All Rights Reserved

ThreadFix Overview• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to developers in the tools they are already using

22

© 2017 IBM & Denim Group – All Rights Reserved

ThreadFix Overview

23

© 2017 IBM & Denim Group – All Rights Reserved

Create a consolidated view of your applications

and vulnerabilities24

© 2017 IBM & Denim Group – All Rights Reserved

Application Portfolio Tracking

25

© 2017 IBM & Denim Group – All Rights Reserved

Prioritize application risk decisions based on

data

26

© 2017 IBM & Denim Group – All Rights Reserved

Vulnerability Prioritization

27

© 2017 IBM & Denim Group – All Rights Reserved

Translate vulnerabilities to developers in tools they are already using

28

© 2017 IBM & Denim Group – All Rights Reserved

Defect Tracker Integration

29

© 2017 IBM & Denim Group – All Rights Reserved

AppScan Enterprise ThreadFix

Demo

© 2017 IBM & Denim Group – All Rights Reserved

Where Does CI/CD Testing Fit?• A comprehensive application security program is more than CI/CD

testing

• CI/CD testing: Find & fix high-risk, easy-to-find vulnerabilities quickly

• Full programs include:• Multi-layered automated testing – dynamic & static• Manual assessments and code review• Threat modeling

© 2017 IBM & Denim Group – All Rights Reserved

Additional Resources• IBMer Eitan Worcel’s DevOps blog: https://www.linkedin.com/pulse/application-

security-devops-3-key-success-factors-eitan-worcel

• ThreadFix overview: https://www.threadfix.it/

• DAST in the SDLC blog: https://securityintelligence.com/application-security-testing-resurgence-of-dast-for-sdlc-integration-and-scan-automation/

• Effective Application Security Testing in DevOps Pipelines: https://www.denimgroup.com/resources/blog/2016/12/effective-application-security-testing-in-devops-pipelines/

• Alexei Pivkine (IBM Application Security): apivkine@ca.ibm.com

• Dan Cornell (Denim Group): dan@denimgroup.com

© 2017 IBM & Denim Group – All Rights Reserved

Q&A Session