Ignite SessionDevOpsDays TLV 2015

Nir KorenDevOps Tech Lead, SAP Labs Israel

SECURITY TESTS as part of

CONTINUOUS INTEGRATION

DevOps Tech Lead, SAP Labs Israel

WHOAMI

WHOAREWE

https://il.linkedin.com/in/nirkoren

https://www.facebook.com/koren.nir

@KorenNir

@nir_koren

SAP HANA Cloud Portal solution

FIXING A BUG COSTS

Coding Unit Test QA Testing Field Test Post release

25 $

16,000 $

1,000 $

App

lied

Sof

twar

e M

easu

rem

ent,

Cap

ers

Jone

s 19

96

NORMALLY WE RUN

STATIC (MILESTONE) DYNAMIC (QUARTERLY)

DEV NEEDS

FAST FEEDBACKTO BE AGILED

FREQUENT SCANS

WE PROVIDES

FULL AUTOMATIONREPORTS & NOTIFICATIONS

TRANSPERENCY

Identify the vulnerabilities

www.agilerecord.com

Define the important to be addressed

Transparency in Continuous Integration

www.agilerecord.com

Make sure everyone knows the status

Automated Processes

www.agilerecord.com

Find a way to automate everything you can

Automate reporting and notifications

www.agilerecord.com

Push relevant info automatically to all

SECURITY KEYPLAYERS

IBM AppScan

STATIC TOOLS DYNAMIC TOOLS

CheckMarx

AppScan

Fortify

RESULTS ANALYSIS

Build the Dev

Deploy AUT

Various Tests

EXPOSE DATASECURITYNIGHTLYSCM

IMPLEMENTATION

IBM AppScan implementation

Create a new scan Add your application URL Configure Policy and details

Live System URL and Login details

Predefined scan policy and scan configuration

HP Fortify implementation

Create a new scanOn local server

Upload the FPRTo F360 server

Scan and AuditOn F360 server

Generate ReportsPDF and XML

implementation

Connect to my projectOn my local server

Create a scanOn Cx Central server

CheckMarx Jenkins plugin

Scan and UploadOn my local server

Scan and reportOn Cx Central server

Generate ReportsPDF and XML

bi-directional

HTTP XML Exposed to all

HTTP XML Exposed to all

The status contains links and info (internally developed)

Link to the PDF report

Relevant info from the scan

Status by our definition

Everyone knows the status. Always.

Both product and implementation teams are updated

New issues fixed immediately

We never spend time for security fixes

Security awareness in our group