how to integrate appsec testing into your devops program

© 2017 IBM & Denim Group – All Rights Reserved

How to Integrate AppSec Testing into

Your DevOps ProgramDan Cornell, Denim GroupMichael Smith, IBM SecurityAlexei Pivkine, IBM Security


Agenda• AppSec & DevOps

• Turning Concepts Into Reality

• Demo

• Q&A Session


Application Security and DevOps


DevOps Is Here


Some Security Teams Will Adapt

(& Others Will Not)

4


Use This Transition to Your Advantage

5


Move Security to the Left and Obtain Buy-In

6


Better Security Insight, More Often

7


What Do Application Security Auditors Want?

• Reduce Risk Exposure

• Introduce Fewer Vulnerabilities

• Find Vulnerabilities Early

• Fix Vulnerabilities Quickly

8


What Do DevOps Teams Want?

9


How Do We Make This a Reality?

10


Application Security Testing in CI/CD Pipelines

11


Testing Tradeoffs

12

Coverage vs. SpeedDepth vs. Ease of understandingFalse negatives vs. False positives


Focus for CI/CD Testing• Tune to find important vulnerabilities

• Focus on high-risk issues (high-severity & easy to exploit)

• Tune to avoid false positives• False positives erode the trust of development teams• Even at the risk of false negatives

• Tune to run quickly• Focus on areas of the application that were changed

• Pair this with a multi-layered scan approach• Run a broader security scan outside of a CI/CD pipeline on a recurring basis

(e.g. nightly, weekly), to catch any important issues that might have been missed• Similar to regression tests in functional testing


Decision-Making Factors

14

Should we fail the build or block the

release?


Reporting & Remediation• Leverage existing tools, such as defect tracking systems (e.g. JIRA)

• Provide developers with interactive issue information

• Establish remediation SLAs & follow-up on issues that are overdue

• Avoid using these…

15


Turning concepts into reality


IBM Security AppScan Enterprise overview

• Highly-scalable Dynamic Analysis Security Testing (DAST) for web apps & web services

• Find highest-risk application security issues quickly & easily!

• Seamless integration into DevOps pipeline, via proven DAST automation capabilities

17


• Works over HTTP(S) like a “hacker-in-a-box”

• Leverages existing functional tests in order to focus on the changes and enable good coverage and fast scanning

• Provides a comprehensive set of REST APIs to fully automate DAST scans and enable product integrations

18

IBM AppScan Enterprise overview


ResultsTestExplore

Steps of a DAST ScanConfigure

Create a scan: Small set of pre-defined

templates based on…

Application risk

Test Policies, etc.

19

Spider through the application

Manual Explore

Automatic explore

Scan time will depend on size of the test

policy and web

pages/services to be

scanned.

AppScan captures HTTP traffic generated by functional tests via a custom proxy and then uses that traffic as training data for security scan.

Manual explore enables quick & focused scans.Automatic explore allows for broad & comprehensive scans.

AppScan Enterprise provides a web UI & a

comprehensive set of

REST API and enables

flexible reporting and

remediation options.


DAST in the SDLC• Goals of bringing DAST into the SDLC are very different

from traditional DAST analysis that’s performed by security team.

• Key focus is on catching the highest-priority issues and getting them fixed quickly and with minimal overhead.

• AppScan Enterprise DAST within the SDLC is complementary to anything and everything the security team is already doing with DAST.


DAST Automation• DAST scans can be fully automated and provide good scan coverage and

result sets at the same time.

• IBM AppScan Enterprise scans can be created and configured either manually or fully automated. The more automated other functional testing and the overall process already is, the more automated DAST security scans can be.

• Layered scans are usually the best way to balance coverage/findings, frequency of scans and ease of use.

• Quick frequent scans look for critical easy-to-find issues, running nightly or even multiple times a day.

• They are combined with less frequent deeper scans, perhaps even with some manual validation. These types of scans can happen once a week, once a sprint, at QA time, etc.


ThreadFix Overview• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to developers in the tools they are already using

22


ThreadFix Overview

23


Create a consolidated view of your applications

and vulnerabilities24


Application Portfolio Tracking

25


Prioritize application risk decisions based on

data

26


Vulnerability Prioritization

27


Translate vulnerabilities to developers in tools they are already using

28


Defect Tracker Integration

29


AppScan Enterprise ThreadFix

Demo


Where Does CI/CD Testing Fit?• A comprehensive application security program is more than CI/CD

testing

• CI/CD testing: Find & fix high-risk, easy-to-find vulnerabilities quickly

• Full programs include:• Multi-layered automated testing – dynamic & static• Manual assessments and code review• Threat modeling


Additional Resources• IBMer Eitan Worcel’s DevOps blog: https://www.linkedin.com/pulse/application-

security-devops-3-key-success-factors-eitan-worcel

• ThreadFix overview: https://www.threadfix.it/

• DAST in the SDLC blog: https://securityintelligence.com/application-security-testing-resurgence-of-dast-for-sdlc-integration-and-scan-automation/

• Effective Application Security Testing in DevOps Pipelines: https://www.denimgroup.com/resources/blog/2016/12/effective-application-security-testing-in-devops-pipelines/

• Alexei Pivkine (IBM Application Security): [email protected]

• Dan Cornell (Denim Group): [email protected]


Q&A Session

how to integrate appsec testing into your devops program

Technology