security tests as part of ci - nir koren, sap - devopsdays tel aviv 2015
TRANSCRIPT
Ignite SessionDevOpsDays TLV 2015
Nir KorenDevOps Tech Lead, SAP Labs Israel
SECURITY TESTS as part of
CONTINUOUS INTEGRATION
DevOps Tech Lead, SAP Labs Israel
WHOAMI
WHOAREWE
https://il.linkedin.com/in/nirkoren
https://www.facebook.com/koren.nir
@KorenNir
@nir_koren
SAP HANA Cloud Portal solution
FIXING A BUG COSTS
Coding Unit Test QA Testing Field Test Post release
25 $
16,000 $
1,000 $
App
lied
Sof
twar
e M
easu
rem
ent,
Cap
ers
Jone
s 19
96
NORMALLY WE RUN
STATIC (MILESTONE) DYNAMIC (QUARTERLY)
DEV NEEDS
FAST FEEDBACKTO BE AGILED
FREQUENT SCANS
WE PROVIDES
FULL AUTOMATIONREPORTS & NOTIFICATIONS
TRANSPERENCY
Identify the vulnerabilities
www.agilerecord.com
Define the important to be addressed
Transparency in Continuous Integration
www.agilerecord.com
Make sure everyone knows the status
Automated Processes
www.agilerecord.com
Find a way to automate everything you can
Automate reporting and notifications
www.agilerecord.com
Push relevant info automatically to all
SECURITY KEYPLAYERS
IBM AppScan
STATIC TOOLS DYNAMIC TOOLS
CheckMarx
AppScan
Fortify
RESULTS ANALYSIS
Build the Dev
Deploy AUT
Various Tests
EXPOSE DATASECURITYNIGHTLYSCM
IMPLEMENTATION
IBM AppScan implementation
Create a new scan Add your application URL Configure Policy and details
Live System URL and Login details
Predefined scan policy and scan configuration
HP Fortify implementation
Create a new scanOn local server
Upload the FPRTo F360 server
Scan and AuditOn F360 server
Generate ReportsPDF and XML
implementation
Connect to my projectOn my local server
Create a scanOn Cx Central server
CheckMarx Jenkins plugin
Scan and UploadOn my local server
Scan and reportOn Cx Central server
Generate ReportsPDF and XML
bi-directional
HTTP XML Exposed to all
HTTP XML Exposed to all
The status contains links and info (internally developed)
Link to the PDF report
Relevant info from the scan
Status by our definition
Everyone knows the status. Always.
Both product and implementation teams are updated
New issues fixed immediately
We never spend time for security fixes
Security awareness in our group