Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continues Security - OpenTechDay 2017

Arjan Gelderblom
April 20, 2017
Programming
0
520

Continues Security - OpenTechDay 2017

In today’s fast and ‘ continuous development’ – cycle security is forced, but most of the time failing, to keep up with this pace. Security is almost all the time implemented as “hurdle” after releasing which needs to be taken before we can go to production. Being included after the fact means that you have to catch up on design and implementation before you can test for security related issues. By integrating security in the CI/CD pipeline and in our daily work flow it will be involved throughout the whole life cycle of the development of a feature and thus security can and will be involved from inception of a feature.

Arjan Gelderblom

April 20, 2017
Tweet

More Decks by Arjan Gelderblom

See All by Arjan Gelderblom
3rd Party Libraries: The Dark Side
agelderblom
0
63
Continuous Security - Meetup: Continuous Delivery Amsterdam
agelderblom
0
80

Other Decks in Programming

See All in Programming
Cloudflare MCP ServerでClaude Desktop からWeb APIを構築
kutakutat
1
630
情報漏洩させないための設計
kubotak
5
1.2k
開発者とQAの越境で自動テストが増える開発プロセスを実現する
92thunder
1
220
Effective Signals in Angular 19+: Rules and Helpers
manfredsteyer
PRO
0
350
Итераторы в Go 1.23: зачем они нужны, как использовать, и насколько они быстрые?
lamodatech
0
1.3k
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
900
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
1.3k
MCP with Cloudflare Workers
yusukebe
2
270
テストケースの名前はどうつけるべきか?
orgachem
PRO
1
180
선언형 UI에서의 상태관리
l2hyunwoo
0
250
React 19でお手軽にCSS-in-JSを自作する
yukukotani
5
530
オニオンアーキテクチャを使って、 Unityと.NETでコードを共有する
soi013
0
350

Featured

See All Featured
Statistics for Hackers
jakevdp
797
220k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Building Your Own Lightsaber
phodgson
104
6.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
Docker and Python
trallard
43
3.2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.2k
Writing Fast Ruby
sferik
628
61k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
550
How to Think Like a Performance Engineer
csswizardry
22
1.3k
Designing for Performance
lara
604
68k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.3k

Transcript

  1. None

  2. “I admit it’s getting better, a little better all the

    time. It can’t get more worse!” - The Beatles

  3. CONTINUOUS SECURITY

  4. HELLO! I am Arjan Gelderblom I can be reached at

    [email protected] https://keybase.io/bloged
  5. None
  6. None

  7. WHY? Why burden developers with security?

  8. “To a hacker, you're just an IP address. You get

    hit because you let yourself be an easy mark.” - Ira Winkler

  9. Software Development Life Cycle design code test deploy

  10. Software Development Life Cycle design code test deploy

  11. Software Development Life Cycle design code test deploy

  12. Adding Sec to DevOps

  13. STARTING POINT

  14. Place your screenshot here The Bodgeit Store https://github.com/psiinon/bodgeit

  15. OUR INITIAL PIPELINE checkout build test deploy

  16. SOURCE CODE

  17. You Built a Slack Bot TO READ YOUR TEAM THE

    NEWS and It Told Everyone Everything http://observer.com/2016/04/slack-bot-benedict-arnold/ https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

  18. The sensitive information in these examples has been modified or

    redacted

  19. gittyleaks Scanning source control. https://github.com/kootenpv/gittyleaks

  20. gittyleaks node { stage('gittyleaks') { sh 'export LC_ALL=C' sh 'gittyleaks

    -l [email protected]:psiinon/bodgeit.git' } }

  21. gittyleaks https://asciinema.org/a/6x2d74fond1j1mdlt9dpsx0pt

  22. FindBugs + FindSecBugs Static code analysis http://findbugs.sourceforge.net/ http://find-sec-bugs.github.io/

  23. FindBugs + FindSecBugs Static code analysis node { stage('findbugs') {

    sh 'findbugs -textui target/project.jar' } }

  24. FindBugs + FindSecBugs Static code analysis https://asciinema.org/a/8vgl8gsfj1qhevnr9c6285gkf

  25. CURRENT PIPELINE checkout build test deploy analysis

  26. TESTING

  27. Ever wanted to hack a University? http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ https://threatpost.com/critical-moodle-vulnerability-could-lead-to-server-compromise/124446/

  28. 79940 (234 countries) Moodle sites registered https://moodle.net/sites/

  29. ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  30. ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project node { stage('zap-baseline') { sh 'docker

    run -t owasp/zap2docker-stable zap-baseline.py -t http://172.17.0.2:8080/bodgeit' } }

  31. ZED Attack Proxy https://asciinema.org/a/1s2telu6m7vsd4uzxoursd8pt

  32. gauntlt Be Mean To Your Code And Like It http://gauntlt.org/

  33. gauntlt Be Mean To Your Code And Like It @slow

    Feature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the following profile: | name | value | | hostname | 172.17.0.2 | Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 8080,443 <hostname> """ Then the output should match /8080.tcp\s+open/ And the output should not match: """ 443/tcp\s+open """

  34. gauntlt Be Mean To Your Code And Like It node

    { stage('gauntlt') { sh 'gauntlt custom/*/*.attack' } }

  35. gauntlt Be Mean To Your Code And Like It https://asciinema.org/a/2tfc8bfzygw6j6xvjgn2pvnia

  36. inspec Inspect Your Infrastructure http://inspec.io/

  37. inspec Inspect Your Infrastructure https://github.com/chef/inspec/blob/master/docs/profiles.md title '/port-8080 open' # you

    add controls here control "port 8080" do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title "Port 8080 should be listening" # A human-readable title desc "Checking the port public port ..." # Describe why this is needed tag data: "port" # A tag allows you to associate key tag "security" # information to the test ref "Document A-12", url: 'http://...' # Additional references describe port(8080) do # Actual test it { should be_listening } end end

  38. inspec Inspect Your Infrastructure node { stage('inspec') { sh 'inspec

    exec inspec/example/ -t docker://f782c7f0a177' } }

  39. inspec Inspect Your Infrastructure https://asciinema.org/a/4ft5iso3jhu8vbh6shnatr1nk

  40. BDD Security Security Testing Framework https://www.continuumsecurity.net/bdd-security/

  41. BDD Security Security Testing Framework https://asciinema.org/a/8ixx15uydulugvw1syohgb03g

  42. beaker Cloud enabled acceptance testing https://github.com/puppetlabs/beaker

  43. CURRENT PIPELINE checkout build test deploy analysis

  44. EXTERNAL DEPENDENCIES

  45. HACKED http://wololo.net/2017/03/11/nintendo-switch-already-hacked-known-vulnerability/

  46. OpenVAS Vulnerability scanning and vulnerability management http://www.openvas.org/

  47. Want big impact? USE BIG IMAGE.

  48. cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker

  49. cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker node { stage('cvechecker')

    { sh 'find / -type f -perm -o+x > scanlist.txt' sh 'echo "/proc/version" >> scanlist.txt' sh 'cvechecker -b scanlist.txt' sh 'cvechecker -r' } }

  50. cvechecker Vulnerability scanning and vulnerability management https://asciinema.org/a/6xtccj8r0qjihh94ui1gu92ma

  51. https://alpinelinux.org/

  52. Alpine Linux Vulnerability scanning and vulnerability management https://asciinema.org/a/34ihmet34cd4ly523pfaml2uu

  53. OWASP Dependency Check https://www.owasp.org/index.php/OWASP_Dependency_Check

  54. OWASP Dependency Check node { stage('cvechecker') { sh 'mvn org.owasp:dependency-check-maven:1.4.5:aggregate'

    } }

  55. OWASP Dependency Check https://asciinema.org/a/6ytzredroiwvifzude45n3bcm

  56. http://www.networkworld.com/article/3162232/security/that-hearbleed-problem-may-be-more-pervasive-than-you-think.html

  57. Updates Base images & dependencies

  58. OPEN INFORMATION

  59. https://www.owasp.org https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  60. Training OWASP WebGoat OWASP SecurityShepherd https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project https://www.owasp.org/index.php/OWASP_Security_Shepherd

  61. Software Development Life Cycle design code test deploy

  62. TAKEAWAYS

  63. None

  64. THANKS! Any questions? You can find me at [email protected] https://keybase.io/bloged

  65. None