Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security scanning overview
Search
tetiana chupryna
February 16, 2019
Programming
1
88
Security scanning overview
We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se.
tetiana chupryna
February 16, 2019
Tweet
Share
More Decks by tetiana chupryna
See All by tetiana chupryna
GitLab, Journey In Time
brytannia
0
24
Security Scanning with GitLab
brytannia
0
53
Время Ruby
brytannia
0
110
Microservice communication with RabbitMQ
brytannia
0
91
Язык программирования за 5 мучительных минут
brytannia
0
85
Если у вас в руках молоток
brytannia
1
170
Continuous delivery with Codeship
brytannia
0
78
Neo4j a bit of math and magic
brytannia
0
75
Other Decks in Programming
See All in Programming
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
230
Benchmark
sysong
0
250
A2A プロトコルを試してみる
azukiazusa1
2
1.1k
XSLTで作るBrainfuck処理系
makki_d
0
210
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
170
Cursor AI Agentと伴走する アプリケーションの高速リプレイス
daisuketakeda
1
130
Haskell でアルゴリズムを抽象化する / 関数型言語で競技プログラミング
naoya
17
4.9k
VS Code Update for GitHub Copilot
74th
1
310
datadog dash 2025 LLM observability for reliability and stability
ivry_presentationmaterials
0
110
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
470
設計やレビューに悩んでいるPHPerに贈る、クリーンなオブジェクト設計の指針たち
panda_program
6
1.2k
関数型まつり2025登壇資料「関数プログラミングと再帰」
taisontsukada
2
850
Featured
See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
Writing Fast Ruby
sferik
628
61k
Designing Experiences People Love
moore
142
24k
Rebuilding a faster, lazier Slack
samanthasiow
81
9k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Producing Creativity
orderedlist
PRO
346
40k
Practical Orchestrator
shlominoach
188
11k
How GitHub (no longer) Works
holman
314
140k
Faster Mobile Websites
deanohume
307
31k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Agile that works and the tools we love
rasmusluckow
329
21k
Transcript
Security Scanning Overview Tetiana Chupryna Feb 16 2018 Kyiv
Te(a)ti(y)ana
GitLab Te(a)ti(y)ana
GitLab Secure Te(a)ti(y)ana
GitLab Secure dogs Te(a)ti(y)ana
None
Security Scanning
Application Security Security Scanning
Information Security Application Security Security Scanning
None
Application security • Defend assets • Search vulnerabilities • Prevent
attacks • Disarm treats
a story
Alice
Alice
Alice Bob
Alice Bob Trudy
Alice Bob Trudy
Alice Bob Walter
Common Weakness Enumeration (CWE) • Common language for describing software
security weaknesses • Standard measuring stick for software security tools • Common baseline standard for weakness identification, mitigation, and prevention efforts
Common Vulnerabilities and Exposures (CVE) • List of known vulnerabilities
inside products • Widely used by many services
Vulnerability • What? (Identifier, Name, Description) • Where? (Location) •
How critical? (Severity) • How confident? (Confidence)
Level 1 Your code is a problem
SAST • Static Application Security Testing • Testing from inside
out (white-box) • Technology dependent
Tools (owasp.org) • Brakeman - Rails • Codesake Dawn -
Ruby (~)
DAST • Dynamic Application Security Testing • Testing from outside
(black box) • Live attack on staging • HTTP - lingua-franca
ZAProxy • OWASP Zed Attack Proxy Project • Open source
What else? • Secrets detection • Interactive Application Security Testing
(IAST) • Fuzzing
Top 10 Rails vulnerabilities • Failure to Restrict URL Access
• Preventing SQLi in Ruby • Cross-Site Scripting (XSS) • Injection • Cross-Site Request Forgery (CSRF) • Insecure Cryptographic Storage • Broken Authentication and Session Management • Invalidated Redirects and Forwards • Insecure Direct Object References • Insufficient Transport Layer Protection • Security Misconfiguration
Level 2 Other’s code is a problem
Dependency Scanning • Software Composition Analysis • Tricky one
Alice Bob Trudy Heidi
“Given enough eyeballs, all bugs are shallow.” –Linus Torvalds
ShellShock existed in the OpenSSL library for more than 22
years
Tools • OWASP Dependency-Check • Gemnasium (part of GitLab) •
snyk.io
Level 3 It’s not about code anymore
Container scanning • Scanning Docker images for known vulnerabilities •
cause there are dependencies as well
Tools • Clair • Docker Trusted Registry
None
Alice Bob Trudy Walter
None
DevOpsSec
Do I need it?
No
Yes
What we do in GitLab? • One tool to rule
them all. • Insert secure tools into DevOps cycle. • Tool to help Security Analysts. • Auto-remediate functionality.
Security Dashboard
Use with pipeline sast: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure:
true services: - docker:stable-dind script: - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code artifacts: reports: sast: gl-sast-report.json
Available features • SAST • DAST • Dependency Scanning •
Container Scanning • License Management • … and more!
Stay safe!
Photo Credits • @bichon_frise_ally • @hongeunyeong • @arang2o_o • @tofupuppers
Security Scanning Overview