Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security scanning overview
Search
tetiana chupryna
February 16, 2019
Programming
1
56
Security scanning overview
We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se.
tetiana chupryna
February 16, 2019
Tweet
Share
More Decks by tetiana chupryna
See All by tetiana chupryna
GitLab, Journey In Time
brytannia
0
16
Security Scanning with GitLab
brytannia
0
48
Время Ruby
brytannia
0
87
Microservice communication with RabbitMQ
brytannia
0
84
Язык программирования за 5 мучительных минут
brytannia
0
60
Если у вас в руках молоток
brytannia
1
140
Continuous delivery with Codeship
brytannia
0
73
Neo4j a bit of math and magic
brytannia
0
71
Other Decks in Programming
See All in Programming
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
240
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.3k
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
230
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
180
元気予報
suu_mire0726
0
860
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k
SpringBoot+MyBatisで例外が出たときどこを見るか
syukai
0
110
Java 22 Overview
kishida
1
170
コードレビューで学ぶ!Kotlinオブジェクト指向デザインパターン
akkie76
2
180
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
Featured
See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
39k
RailsConf 2023
tenderlove
2
530
The Cult of Friendly URLs
andyhume
74
5.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
BBQ
matthewcrist
80
8.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Gamification - CAS2011
davidbonilla
76
4.6k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
Visualization
eitanlees
135
14k
Transcript
Security Scanning Overview Tetiana Chupryna Feb 16 2018 Kyiv
Te(a)ti(y)ana
GitLab Te(a)ti(y)ana
GitLab Secure Te(a)ti(y)ana
GitLab Secure dogs Te(a)ti(y)ana
None
Security Scanning
Application Security Security Scanning
Information Security Application Security Security Scanning
None
Application security • Defend assets • Search vulnerabilities • Prevent
attacks • Disarm treats
a story
Alice
Alice
Alice Bob
Alice Bob Trudy
Alice Bob Trudy
Alice Bob Walter
Common Weakness Enumeration (CWE) • Common language for describing software
security weaknesses • Standard measuring stick for software security tools • Common baseline standard for weakness identification, mitigation, and prevention efforts
Common Vulnerabilities and Exposures (CVE) • List of known vulnerabilities
inside products • Widely used by many services
Vulnerability • What? (Identifier, Name, Description) • Where? (Location) •
How critical? (Severity) • How confident? (Confidence)
Level 1 Your code is a problem
SAST • Static Application Security Testing • Testing from inside
out (white-box) • Technology dependent
Tools (owasp.org) • Brakeman - Rails • Codesake Dawn -
Ruby (~)
DAST • Dynamic Application Security Testing • Testing from outside
(black box) • Live attack on staging • HTTP - lingua-franca
ZAProxy • OWASP Zed Attack Proxy Project • Open source
What else? • Secrets detection • Interactive Application Security Testing
(IAST) • Fuzzing
Top 10 Rails vulnerabilities • Failure to Restrict URL Access
• Preventing SQLi in Ruby • Cross-Site Scripting (XSS) • Injection • Cross-Site Request Forgery (CSRF) • Insecure Cryptographic Storage • Broken Authentication and Session Management • Invalidated Redirects and Forwards • Insecure Direct Object References • Insufficient Transport Layer Protection • Security Misconfiguration
Level 2 Other’s code is a problem
Dependency Scanning • Software Composition Analysis • Tricky one
Alice Bob Trudy Heidi
“Given enough eyeballs, all bugs are shallow.” –Linus Torvalds
ShellShock existed in the OpenSSL library for more than 22
years
Tools • OWASP Dependency-Check • Gemnasium (part of GitLab) •
snyk.io
Level 3 It’s not about code anymore
Container scanning • Scanning Docker images for known vulnerabilities •
cause there are dependencies as well
Tools • Clair • Docker Trusted Registry
None
Alice Bob Trudy Walter
None
DevOpsSec
Do I need it?
No
Yes
What we do in GitLab? • One tool to rule
them all. • Insert secure tools into DevOps cycle. • Tool to help Security Analysts. • Auto-remediate functionality.
Security Dashboard
Use with pipeline sast: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure:
true services: - docker:stable-dind script: - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code artifacts: reports: sast: gl-sast-report.json
Available features • SAST • DAST • Dependency Scanning •
Container Scanning • License Management • … and more!
Stay safe!
Photo Credits • @bichon_frise_ally • @hongeunyeong • @arang2o_o • @tofupuppers
Security Scanning Overview