Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Security - Meetup: Continuous Delivery Amsterdam

Arjan Gelderblom
October 11, 2017
Technology
0
63

Continuous Security - Meetup: Continuous Delivery Amsterdam

In today’s fast and 'continuous development' – cycle security is forced, but most of the time failing, to keep up with this pace. Security is almost all the time implemented as "hurdle" after releasing which needs to be taken before we can go to production. Being included after the fact means that you have to catch up on design and implementation before you can test for security related issues. By integrating security in the CI/CD pipeline and in our daily work flow it will be involved throughout the whole life cycle of the development of a feature and thus security can and will be involved from inception of a feature.

Arjan Gelderblom

October 11, 2017
Tweet

More Decks by Arjan Gelderblom

See All by Arjan Gelderblom
3rd Party Libraries: The Dark Side
agelderblom
0
57
Continues Security - OpenTechDay 2017
agelderblom
0
500

Other Decks in Technology

See All in Technology
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.5k
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
TransitGatewayの基礎
toru_kubota
0
230
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
SREとその組織類型
tatsuo48
8
1.5k
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
Data and AI Governance: Existing Challenges and Emerging Trends
scotthsieh825
0
150
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
160
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
1
150
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
110
Janus
bkuhlmann
1
490

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
59
3.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
646
57k
Web Components: a chance to create the future
zenorocha
305
41k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
What's new in Ruby 2.0
geeforr
337
31k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Embracing the Ebb and Flow
colly
79
4.1k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
Navigating Team Friction
lara
177
13k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Being A Developer After 40
akosma
56
580k

Transcript

  1. None

  2. “I admit it’s getting better, a little better all the

    time. It can’t get more worse!” - The Beatles

  3. CONTINUOUS SECURITY Continuous Delivery Amsterdam - October 2017

  4. HELLO! I am Arjan Gelderblom I can be reached at

    [email protected] https://keybase.io/bloged
  5. None
  6. None

  7. WHY? Why burden developers with security?

  8. “To a hacker, you're just an IP address. You get

    hit because you let yourself be an easy mark.” - Ira Winkler

  9. Software Development Life Cycle design code test deploy

  10. Software Development Life Cycle design code test deploy

  11. Software Development Life Cycle design code test deploy

  12. Adding Sec to DevOps

  13. https://www.helpnetsecurity.com/2017/10/03/secure-coding-java/

  14. Secure or not? public static int stringCompare(String orig, String input)

    { char[] charArray1 = orig.toCharArray(); char[] charArray2 = input.toCharArray(); int length = charArray2.length; int k = 0; while (k < lim) { if (charArray1[k] != charArray2[k]) { return charArray1[k] - charArray2[k]; } k++; } return 0; } https://embedi.com/files/white-papers/silent-bob-is-silent.pdf

  15. STARTING POINT

  16. Place your screenshot here The Bodgeit Store https://github.com/psiinon/bodgeit

  17. OUR INITIAL PIPELINE checkout build test deploy

  18. SOURCE CODE

  19. You Built a Slack Bot TO READ YOUR TEAM THE

    NEWS and It Told Everyone Everything http://observer.com/2016/04/slack-bot-benedict-arnold/ https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

  20. The sensitive information in these examples has been modified or

    redacted

  21. gittyleaks Scanning source control. https://github.com/kootenpv/gittyleaks

  22. gittyleaks node { stage('gittyleaks') { sh 'export LC_ALL=C' sh 'gittyleaks

    -l [email protected]:psiinon/bodgeit.git' } }

  23. gittyleaks https://asciinema.org/a/05zYKyQkOO8iidwxpPlW2jI8z

  24. FindBugs + FindSecBugs Static code analysis http://findbugs.sourceforge.net/ http://find-sec-bugs.github.io/

  25. FindBugs + FindSecBugs Static code analysis node { stage('findbugs') {

    sh 'findbugs -textui target/project.jar' } }

  26. FindBugs + FindSecBugs Static code analysis https://asciinema.org/a/8vgl8gsfj1qhevnr9c6285gkf

  27. CURRENT PIPELINE checkout build test deploy analysis

  28. TESTING

  29. Ever wanted to hack a University? http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ https://threatpost.com/critical-moodle-vulnerability-could-lead-to-server-compromise/124446/

  30. 79940 (234 countries) Moodle sites registered https://moodle.net/sites/

  31. ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  32. ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project node { stage('zap-baseline') { sh 'docker

    run -t owasp/zap2docker-stable zap-baseline.py -t http://172.17.0.2:8080/bodgeit' } }

  33. ZED Attack Proxy https://asciinema.org/a/1s2telu6m7vsd4uzxoursd8pt

  34. gauntlt Be Mean To Your Code And Like It http://gauntlt.org/

  35. gauntlt Be Mean To Your Code And Like It @slow

    Feature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the following profile: | name | value | | hostname | 172.17.0.2 | Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 8080,443 <hostname> """ Then the output should match /8080.tcp\s+open/ And the output should not match: """ 443/tcp\s+open """

  36. gauntlt Be Mean To Your Code And Like It node

    { stage('gauntlt') { sh 'gauntlt custom/*/*.attack' } }

  37. gauntlt Be Mean To Your Code And Like It https://asciinema.org/a/2tfc8bfzygw6j6xvjgn2pvnia

  38. inspec Inspect Your Infrastructure http://inspec.io/

  39. inspec Inspect Your Infrastructure https://github.com/chef/inspec/blob/master/docs/profiles.md title '/port-8080 open' # you

    add controls here control "port 8080" do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title "Port 8080 should be listening" # A human-readable title desc "Checking the port public port ..." # Describe why this is needed tag data: "port" # A tag allows you to associate key tag "security" # information to the test ref "Document A-12", url: 'http://...' # Additional references describe port(8080) do # Actual test it { should be_listening } end end

  40. inspec Inspect Your Infrastructure node { stage('inspec') { sh 'inspec

    exec inspec/example/ -t docker://f782c7f0a177' } }

  41. inspec Inspect Your Infrastructure https://asciinema.org/a/4ft5iso3jhu8vbh6shnatr1nk

  42. BDD Security Security Testing Framework https://www.continuumsecurity.net/bdd-security/

  43. BDD Security Security Testing Framework https://asciinema.org/a/8ixx15uydulugvw1syohgb03g

  44. beaker Cloud enabled acceptance testing https://github.com/puppetlabs/beaker

  45. CURRENT PIPELINE checkout build test deploy analysis

  46. EXTERNAL DEPENDENCIES

  47. https://en.wikipedia.org/wiki/Equifax#May.E2.80.93July_2017_security_breach

  48. OpenVAS Vulnerability scanning and vulnerability management http://www.openvas.org/

  49. Want big impact? USE BIG IMAGE.

  50. cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker

  51. cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker node { stage('cvechecker')

    { sh 'find / -type f -perm -o+x > scanlist.txt' sh 'echo "/proc/version" >> scanlist.txt' sh 'cvechecker -b scanlist.txt' sh 'cvechecker -r' } }

  52. cvechecker Vulnerability scanning and vulnerability management https://asciinema.org/a/6xtccj8r0qjihh94ui1gu92ma

  53. https://alpinelinux.org/

  54. Alpine Linux Vulnerability scanning and vulnerability management https://asciinema.org/a/34ihmet34cd4ly523pfaml2uu

  55. OWASP Dependency Check https://www.owasp.org/index.php/OWASP_Dependency_Check

  56. OWASP Dependency Check node { stage('cvechecker') { sh 'mvn org.owasp:dependency-check-maven:1.4.5:aggregate'

    } }

  57. OWASP Dependency Check https://asciinema.org/a/6ytzredroiwvifzude45n3bcm

  58. http://www.networkworld.com/article/3162232/security/that-hearbleed-problem-may-be-more-pervasive-than-you-think.html

  59. Updates Base images & dependencies

  60. OPEN INFORMATION

  61. https://www.owasp.org https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  62. Training OWASP WebGoat OWASP SecurityShepherd https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project https://www.owasp.org/index.php/OWASP_Security_Shepherd

  63. Software Development Life Cycle design code test deploy

  64. TAKEAWAYS

  65. None

  66. THANKS! Any questions? You can find me at [email protected] https://www.first8.nl/nieuws-overzicht

  67. None