Security scanning overview

Transcript

1. Security Scanning Overview Tetiana Chupryna Feb 16 2018 Kyiv

2. Te(a)ti(y)ana

3. GitLab Te(a)ti(y)ana

4. GitLab Secure Te(a)ti(y)ana

5. GitLab Secure dogs Te(a)ti(y)ana

6. None

7. Security Scanning

8. Application Security Security Scanning

9. Information Security Application Security Security Scanning

10. None

11. Application security • Defend assets • Search vulnerabilities • Prevent

    attacks • Disarm treats

12. a story

13. Alice

14. Alice

15. Alice Bob

16. Alice Bob Trudy

17. Alice Bob Trudy

18. Alice Bob Walter

19. Common Weakness Enumeration (CWE) • Common language for describing software

    security weaknesses • Standard measuring stick for software security tools • Common baseline standard for weakness identification, mitigation, and prevention efforts

20. Common Vulnerabilities and Exposures (CVE) • List of known vulnerabilities

    inside products • Widely used by many services

21. Vulnerability • What? (Identifier, Name, Description) • Where? (Location) •

    How critical? (Severity) • How confident? (Confidence)

22. Level 1 Your code is a problem

23. SAST • Static Application Security Testing • Testing from inside

    out (white-box) • Technology dependent

24. Tools (owasp.org) • Brakeman - Rails • Codesake Dawn -

    Ruby (~)

25. DAST • Dynamic Application Security Testing • Testing from outside

    (black box) • Live attack on staging • HTTP - lingua-franca

26. ZAProxy • OWASP Zed Attack Proxy Project • Open source

27. What else? • Secrets detection • Interactive Application Security Testing

    (IAST) • Fuzzing

28. Top 10 Rails vulnerabilities • Failure to Restrict URL Access

    • Preventing SQLi in Ruby • Cross-Site Scripting (XSS) • Injection • Cross-Site Request Forgery (CSRF) • Insecure Cryptographic Storage • Broken Authentication and Session Management • Invalidated Redirects and Forwards • Insecure Direct Object References • Insufficient Transport Layer Protection • Security Misconfiguration

29. Level 2 Other’s code is a problem

30. Dependency Scanning • Software Composition Analysis • Tricky one

31. Alice Bob Trudy Heidi

32. “Given enough eyeballs, all bugs are shallow.” –Linus Torvalds

33. ShellShock existed in the OpenSSL library for more than 22

    years

34. Tools • OWASP Dependency-Check • Gemnasium (part of GitLab) •

    snyk.io

35. Level 3 It’s not about code anymore

36. Container scanning • Scanning Docker images for known vulnerabilities •

    cause there are dependencies as well

37. Tools • Clair • Docker Trusted Registry

38. None

39. Alice Bob Trudy Walter

40. None

41. DevOpsSec

42. Do I need it?

43. No

44. Yes

45. What we do in GitLab? • One tool to rule

    them all. • Insert secure tools into DevOps cycle. • Tool to help Security Analysts. • Auto-remediate functionality.

46. Security Dashboard

47. Use with pipeline sast: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure:

    true services: - docker:stable-dind script: - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code artifacts: reports: sast: gl-sast-report.json

48. Available features • SAST • DAST • Dependency Scanning •

    Container Scanning • License Management • … and more!

49. Stay safe!

50. Photo Credits • @bichon_frise_ally • @hongeunyeong • @arang2o_o • @tofupuppers

51. Security Scanning Overview