[poland] secops live cooking with owasp appsec tools
TRANSCRIPT
![Page 1: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/1.jpg)
SecOps live cooking with OWASP appsec tools
Maciej Lasyk
OWASP EEE – Kraków
2015-10-06
![Page 2: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/2.jpg)
Join Fedora Infrastructure!
→ learn Ansible
→ join the security team!
→ use Fedora Security Lab (spin)
http://fedoraproject.org/en/join-fedora
![Page 3: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/3.jpg)
Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline
![Page 4: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/4.jpg)
Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline
![Page 5: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/5.jpg)
Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline
![Page 6: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/6.jpg)
Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline
![Page 7: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/7.jpg)
Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline
![Page 8: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/8.jpg)
DEV INTEGRATION TEST PROD
Delivery Pipeline & security testing
![Page 9: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/9.jpg)
DEV INTEGRATION TEST PROD
Feedback loop!
Delivery Pipeline!
![Page 10: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/10.jpg)
DEV INTEGRATION TEST PROD
Feedback loop!
Delivery Pipeline!
→ UAT→ Performance→ Security
![Page 11: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/11.jpg)
DEV INTEGRATIONTEST
containersPROD
Feedback loop!
Delivery Pipeline!
→ UAT→ Performance→ Security
Experimentation gives you improvements!
Continuous security scanning
![Page 12: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/12.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 13: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/13.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 14: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/14.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 15: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/15.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 16: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/16.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 17: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/17.jpg)
→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!
![Page 18: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/18.jpg)
![Page 19: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/19.jpg)
Manual testing demo #1
OWASP webgoat, OWASP hackademic story
test-app
vs
OWASP ZAP
![Page 20: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/20.jpg)
Manual testing demo #1
OWASP webgoat, OWASP hackademic story
test-app
vs
OWASP ZAP
![Page 21: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/21.jpg)
Manual testing demo #2
Fedora Pagure
vs
OWASP Dependency Check
![Page 22: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/22.jpg)
Automation tools
→ Ansible (www.ansible.com)
→ Jenkins (jenkins-ci.org)
→ GoCD (www.go.cd)
![Page 23: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/23.jpg)
Automation tools
→ Ansible (www.ansible.com)
→ Jenkins (jenkins-ci.org)
→ GoCD (www.go.cd)
![Page 24: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/24.jpg)
Automation tools
→ Ansible (www.ansible.com)
→ Jenkins (jenkins-ci.org)
→ GoCD (www.go.cd)
![Page 25: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/25.jpg)
Automation demo #1
Installing Jenkins w/Ansible
![Page 26: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/26.jpg)
Linux Containers - Docker
→ Docker?
→ Docker Registry
![Page 27: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/27.jpg)
Linux Containers - Docker
→ Docker?
→ Docker Registry
![Page 28: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/28.jpg)
Automation demo #2
OWASP ZAP && Dependency Check + Docker
![Page 29: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/29.jpg)
Automation demo #3
OWASP ZAP && Dependency Check + Docker
+
Jenkins
![Page 30: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/30.jpg)
Automation demo #4
Containerization of security tools
![Page 31: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/31.jpg)
Docker inside Docker?
Pros and cons
![Page 32: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/32.jpg)
Automation demo #5
What about false positives / negatives?
![Page 33: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/33.jpg)
Automation demo #6
Full delivery pipeline
![Page 34: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/34.jpg)
Summary
Should we replace classical pentests with automation?
![Page 35: [Poland] SecOps live cooking with OWASP appsec tools](https://reader034.vdocuments.net/reader034/viewer/2022042619/5877ceb81a28ab39588b7503/html5/thumbnails/35.jpg)
SecOps live cooking with OWASP appsec tools
Maciej Lasyk
OWASP EEE – Kraków
2015-10-06