8-12May,2017

CreatinganAppsec PipelinewithContainersinaweek

HowweFailedandSucceededJeroenWillemsen

About me

Jeroen Willemsen@commjoeniejwillemsen@xebia.com

``Securityarchitect’’``Full-stackdeveloper’’``Mobilesecurity’’

Agenda

• Thechallenge• Thesolution• Bumps onthe road• Recap

8-12May,2017

TheChallengeWhatcouldpossiblygowrong?

TheChallenge

TheChallenge:Thelandscape

TheChallenge:Existing workflow

ReadyforValidation

E2ETest

DeploytoDev

UnitTest

StoreArtifact

BuildPull&Merge

TheChallenge:Newentries

• OWASPDependency-Check• Licensecheckers•

•• Etc…

&

& SAST

8-12May,2017

TheSolutionWegottherekindoff…

TheSolution:Extend build step

Add dependency &license checkersontopofquality tooling.

GetfeedbackFAST!

E2ETestwithproxy

TheSolution:Feeding ZAP&BURP

Scheduledlongscans

DeploytoDev

UnitTest

StoreArtifact

BuildPull&Merge

Quickscan

TheSolution:DAST&reporting

TheSolution:Clair

• RunClaironthecreatedcontainers.

• Todo:runClairregularlyontheregistry,addwhitelists&integratewithThreadfix.

Thesolution:Containerize!

• Our toolsembedded incontainers:+ Less additional platformcomplexities+ Can runanywhere (locally /deployed)+ Easyto scale- Still need to managethe data!- Moreassetsthat might contain vulnerabilities• Not perfect:Still haveto hardenour assets.

Thesolution:astarting point./clair-scannerapp/threadfix example-whitelist.yaml http://10.200.98.63:606010.200.98.63

2017-05-1210:50:19.712897I|Analyzing014fdc7e45e4e7c5967856fc65d7bb5ff0b324fe4ef1ac8ce448843ab310416aAnd9 otherlayers…

Giving:2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]

- A vulnerability in wget…- Used when creating the container- Not used during runtime

TheSolution:Did it work?

YES!Notallcomponentsarein,butfeedbackis

alreadyofgreatvalue

8-12May,2017

ThebumpsontheroadAnd their countermeasures

Bump1:Falsepositives

Bump1:Falsepositives

• Use settings/plugins inappà noscaling.

• Use aDBwith aframework:

• Use appslike&

XBump2:LegacyAPIs

Bump2:LegacyAPIs

TestlegacyAPIsseparatelyL

Bump3:Notfrustratedevelopers

• Give feedbackfast!• Automate all the things!• Bepartofthe team• Filter&suppress false positives ASAP• Use known tooling

Bump4:IntegratingBurpproxy

• IntegrationwithBurpisnotcompleted– Custombuildsforcontainers– Attimeoftesting:AdditionalextensionsnecessarytohaveaproperRESTAPI

Bump5:Falsenegatives….

Securityautomationdoesnotmean:nomanualpentesting.

Evenwhenyouaddmoretools(whichwehaveto…).

Bump6:Platformteamavailability

8-12May,2017

Recap

Recap

• Automateallthethings:getfeedbackFAST.• Containerize• Filterfalsepositives• StublegacyAPIs• HELPdevelopers,DONOTfrustrate!• Stillaneedformanualpentesting &reviewing.• Getplatform-teamsupport!• Everypartofthepipelineisablessing!

8-12May,2017

QUESTIONS?

8-12May,2017

Thankyou!

8-12May,2017

Appendices

App.1:hot-swappableplatform

Infrastructure as Code Static Host OS

High Availability By Default

Use Autoscaling

Externalize Data

Automated Repeatable Bootstrapping

App.2:Actualdeployment

RenderFleetUnit

File

SubmitFleetUnit

StartContainers

RegisterService

Configureproxy