owasp2018 - reducing the friction of vulnerability scanning in continous integration · 2020. 1....
TRANSCRIPT
ReducingthefrictionofvulnerabilityscanningincontinuousintegrationAllanCascante
LegalNotices
Thispresentationisforinformationalpurposesonly.INTELMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISSUMMARY. Nocomputersystemcanbeabsolutelysecure.
IntelandtheIntellogoaretrademarksofIntelCorporationintheU.S.and/orothercountries.
*Othernamesandbrandsmaybeclaimedasthepropertyofothers.
Copyright© 2018,IntelCorporation.Allrightsreserved.
AboutMe
@allancascante
http://linkedin.com/in/allancascante
Some Key Terms• SAST– StaticApplicationSecurityTesting• DAST– DynamicApplicationSecurityTesting• SecurityTesting– Validatingsoftwareforvulnerabilities• DevOps– Culturalchangetobringdevelopmentandoperationstogether
• DevSecOps – DevOps+Security• CI- ContinuousIntegration• CD- ContinuousDelivery• DeliveryPipeline– AutomatedProcesstoDeliverSoftware.
HOWTOGOFASTANDSECURELY?Whendevelopingsoftware
ContinuousDelivery(Pipeline)
* Continuous Delivery. Reliable Software Releases through Build, Test, and Deployment Automation. by Jez Humble and David Farley.
Lack of alignment
=0• DifferentDirectionandGoals
• LackofAlignmentCanceleachotherout
• Feelingofconstantworkwithnorealprogress
Walls of confusion
Business Development
Operations
InfoSec
Dev
OpsSec
Dev
Ops
QA
Sec
Biz
...
WhyDevOps?
Waterfall
Plan Code Build Test PrepareDeploy
Deploy Monitor Operate
Years,Months,Weeks
SDL
https://social.technet.microsoft.com/wiki/contents/articles/7100.the-security-development-lifecycle.aspx
DevOps Process
Continuously(days,hours,minutes)http://www.northcrossgroup.com/capabilities/devops/index.php
Our Problem• SASTandDASTprocesswhereslowandtimeconsuming
• DeploymentsweregatedduetohavingtocompleteStaticandDynamicanalysis
• Wewereaskedtogofasterbutstillbecomplaintwith(our)InfoSecrequirements
• Savetimebyautomatingscanmanualprocess• DAST&SASTdurationwasnon-deterministic
HOWCANWEINTEGRATESECURITYGATES?
IntheDevOpsflow
ContinuousDelivery(Pipeline)
* Continuous Delivery. Reliable Software Releases through Build, Test, and Deployment Automation. by Jez Humble and David Farley.
SAST
DAST
PenTest
StaticApplicationSecurityTesting
• Findsecuritybugs• ‘Faster’insideout• Readsyourcode• Worksatrest
CommitStage
Commit Compile Tests Assemble
CodeAnalysis• SAST• CodeQuality
IntegratedSASTProcess
ToolstoIntegrateyourOwn
• Git (Git Hub*)• Jenkins*• SonarQube*• AnyOWASPSonarQube ProjectPlugin
*Namesandbrandsarethepropertyoftheirrespectiveowners
OpenSourceAlternative
DynamicApplicationSecurityTesting
• Find‘other’securitybugs• ‘Slower’outsidein• Playswithyourapplication• Worksatplay
AcceptanceStage
ConfigureEnvironment
DeployBinaries SmokeTests Acceptance
Test DAST
IntegratedDASTProcess
GOINGFURTHER,SECURITYTESTING
Integratingmoresecurityvalidationsintoourdeliverypipeline
Why?
• Enhancedassurance• Fasterfeedback• Innovation• DASThassome‘deficiencies’
ZAPIntegrationintoourpipeline
*
Advantagesinthenewapproach
• Acceptancetestallowa‘knowledgeable’scanwithZAP
• ReportingfromZAPintegratedintobuildsgivetraceability
• Easyintegration,justneededtochangeproxysettingsintothetestingboxes
SomeHighlights
• WhileDASTandSASTshowednoissues,ZAPreportedvulnerabilities
• ZAPapproachturnedtobefasterthanDASTorSASTscans
• ZAPscandurationisdeterministic(sameasacceptancetests)
• AccordingtoStateofDevOpshighperformerteamsspend50%lesstimeremediatingsecurityissues