how to integrate appsec testing into your devops program
TRANSCRIPT
© 2017 IBM & Denim Group – All Rights Reserved
How to Integrate AppSec Testing into
Your DevOps ProgramDan Cornell, Denim GroupMichael Smith, IBM SecurityAlexei Pivkine, IBM Security
© 2017 IBM & Denim Group – All Rights Reserved
Agenda• AppSec & DevOps
• Turning Concepts Into Reality
• Demo
• Q&A Session
© 2017 IBM & Denim Group – All Rights Reserved
Application Security and DevOps
© 2017 IBM & Denim Group – All Rights Reserved
DevOps Is Here
© 2017 IBM & Denim Group – All Rights Reserved
Some Security Teams Will Adapt
(& Others Will Not)
4
© 2017 IBM & Denim Group – All Rights Reserved
Use This Transition to Your Advantage
5
© 2017 IBM & Denim Group – All Rights Reserved
Move Security to the Left and Obtain Buy-In
6
© 2017 IBM & Denim Group – All Rights Reserved
Better Security Insight, More Often
7
© 2017 IBM & Denim Group – All Rights Reserved
What Do Application Security Auditors Want?
• Reduce Risk Exposure
• Introduce Fewer Vulnerabilities
• Find Vulnerabilities Early
• Fix Vulnerabilities Quickly
8
© 2017 IBM & Denim Group – All Rights Reserved
What Do DevOps Teams Want?
9
© 2017 IBM & Denim Group – All Rights Reserved
How Do We Make This a Reality?
10
© 2017 IBM & Denim Group – All Rights Reserved
Application Security Testing in CI/CD Pipelines
11
© 2017 IBM & Denim Group – All Rights Reserved
Testing Tradeoffs
12
Coverage vs. SpeedDepth vs. Ease of understandingFalse negatives vs. False positives
© 2017 IBM & Denim Group – All Rights Reserved
Focus for CI/CD Testing• Tune to find important vulnerabilities
• Focus on high-risk issues (high-severity & easy to exploit)
• Tune to avoid false positives• False positives erode the trust of development teams• Even at the risk of false negatives
• Tune to run quickly• Focus on areas of the application that were changed
• Pair this with a multi-layered scan approach• Run a broader security scan outside of a CI/CD pipeline on a recurring basis
(e.g. nightly, weekly), to catch any important issues that might have been missed• Similar to regression tests in functional testing
© 2017 IBM & Denim Group – All Rights Reserved
Decision-Making Factors
14
Should we fail the build or block the
release?
© 2017 IBM & Denim Group – All Rights Reserved
Reporting & Remediation• Leverage existing tools, such as defect tracking systems (e.g. JIRA)
• Provide developers with interactive issue information
• Establish remediation SLAs & follow-up on issues that are overdue
• Avoid using these…
15
© 2017 IBM & Denim Group – All Rights Reserved
Turning concepts into reality
© 2017 IBM & Denim Group – All Rights Reserved
IBM Security AppScan Enterprise overview
• Highly-scalable Dynamic Analysis Security Testing (DAST) for web apps & web services
• Find highest-risk application security issues quickly & easily!
• Seamless integration into DevOps pipeline, via proven DAST automation capabilities
17
© 2017 IBM & Denim Group – All Rights Reserved
• Works over HTTP(S) like a “hacker-in-a-box”
• Leverages existing functional tests in order to focus on the changes and enable good coverage and fast scanning
• Provides a comprehensive set of REST APIs to fully automate DAST scans and enable product integrations
18
IBM AppScan Enterprise overview
© 2017 IBM & Denim Group – All Rights Reserved
ResultsTestExplore
Steps of a DAST ScanConfigure
Create a scan: Small set of pre-defined
templates based on…
Application risk
Test Policies, etc.
19
Spider through the application
Manual Explore
Automatic explore
Scan time will depend on size of the test
policy and web
pages/services to be
scanned.
AppScan captures HTTP traffic generated by functional tests via a custom proxy and then uses that traffic as training data for security scan.
Manual explore enables quick & focused scans.Automatic explore allows for broad & comprehensive scans.
AppScan Enterprise provides a web UI & a
comprehensive set of
REST API and enables
flexible reporting and
remediation options.
© 2017 IBM & Denim Group – All Rights Reserved
DAST in the SDLC• Goals of bringing DAST into the SDLC are very different
from traditional DAST analysis that’s performed by security team.
• Key focus is on catching the highest-priority issues and getting them fixed quickly and with minimal overhead.
• AppScan Enterprise DAST within the SDLC is complementary to anything and everything the security team is already doing with DAST.
© 2017 IBM & Denim Group – All Rights Reserved
DAST Automation• DAST scans can be fully automated and provide good scan coverage and
result sets at the same time.
• IBM AppScan Enterprise scans can be created and configured either manually or fully automated. The more automated other functional testing and the overall process already is, the more automated DAST security scans can be.
• Layered scans are usually the best way to balance coverage/findings, frequency of scans and ease of use.
• Quick frequent scans look for critical easy-to-find issues, running nightly or even multiple times a day.
• They are combined with less frequent deeper scans, perhaps even with some manual validation. These types of scans can happen once a week, once a sprint, at QA time, etc.
© 2017 IBM & Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
22
© 2017 IBM & Denim Group – All Rights Reserved
ThreadFix Overview
23
© 2017 IBM & Denim Group – All Rights Reserved
Create a consolidated view of your applications
and vulnerabilities24
© 2017 IBM & Denim Group – All Rights Reserved
Application Portfolio Tracking
25
© 2017 IBM & Denim Group – All Rights Reserved
Prioritize application risk decisions based on
data
26
© 2017 IBM & Denim Group – All Rights Reserved
Vulnerability Prioritization
27
© 2017 IBM & Denim Group – All Rights Reserved
Translate vulnerabilities to developers in tools they are already using
28
© 2017 IBM & Denim Group – All Rights Reserved
Defect Tracker Integration
29
© 2017 IBM & Denim Group – All Rights Reserved
AppScan Enterprise ThreadFix
Demo
© 2017 IBM & Denim Group – All Rights Reserved
Where Does CI/CD Testing Fit?• A comprehensive application security program is more than CI/CD
testing
• CI/CD testing: Find & fix high-risk, easy-to-find vulnerabilities quickly
• Full programs include:• Multi-layered automated testing – dynamic & static• Manual assessments and code review• Threat modeling
© 2017 IBM & Denim Group – All Rights Reserved
Additional Resources• IBMer Eitan Worcel’s DevOps blog: https://www.linkedin.com/pulse/application-
security-devops-3-key-success-factors-eitan-worcel
• ThreadFix overview: https://www.threadfix.it/
• DAST in the SDLC blog: https://securityintelligence.com/application-security-testing-resurgence-of-dast-for-sdlc-integration-and-scan-automation/
• Effective Application Security Testing in DevOps Pipelines: https://www.denimgroup.com/resources/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
• Alexei Pivkine (IBM Application Security): [email protected]
• Dan Cornell (Denim Group): [email protected]
© 2017 IBM & Denim Group – All Rights Reserved
Q&A Session