Security Scanning with GitLab

Transcript

1. Security Scanning Toruń GitLab Day, 9 Dec 2020 Tetiana Chupryna

2. Tetiana Backend Developer @ GitLab I work on Security features

   • lichess@brytannia • twitter@TetianaOfficial • gitlab@brytannia Here is my dog Darcy I live in Kharkiv, Ukraine

3. Let me tell a story

4. Alice Lead Dev @ Goodboy She uses GitLab

5. Bob Hides his treats with Goodboy

6. Trudy Wants to steal ALL THE TREATS

7. Trudy breaks the Goodboy web-site and steals hidden bones and

   cucumbers

8. Walter Private investigator Helps find breach and apply security fix

9. Why my code is vulnerable?

10. 945000000000$ World economy lost due to hacker attacks in 2020

    (McAfee report)

11. 96% had security incidents

12. Application security is important, and even more important

13. Attack vectors • Hardware • Software • Fishing

14. 4 of the 6 top attacks were application based

15. Security scanners • Static application security testing (SAST) • Dynamic

    application security testing (DAST) • Dependency Scanning • Container Scanning • Fuzz testing • Secret Detection

16. SAST White box • Testing from inside out • Tools

    are technology dependent • Similar to code quality but for security • In GitLab Core since 13.3

17. DAST Black box • Testing from outside • Live attack

    on staging • HTTP - lingua-franca • GitLab Ultimate

18. include: - template: SAST.gitlab-ci.yml - template: DAST.gitlab-ci.yml variables: DAST_WEBSITE: https://staging.goodboy.com

    gitlab_ci.yml

19. Pipeline view

20. Vulnerability report

21. Merge Request View

22. Now my application is secure!

23. Now I can use the app!

24. No!

25. Let me introduce Heidi

26. Heidi Lead Dev @ Tag-o-war Her library uses Alice

27. Dependency scanning Part of Composition Analysis • Checking for vulnerabilities

    in dependency packages • Tools are technology dependent • In GitLab Ultimate

28. include: - template: SAST.gitlab-ci.yml - template: DAST.gitlab-ci.yml - template: Dependency-Scanning.gitlab-ci.yml

    variables: DAST_WEBSITE: https://staging.goodboy.com gitlab_ci.yml

29. Dependency list

30. Automatical Remediation

31. Alice, your application is secure!

32. Oh no! However, I have a last attempt. Bob, when

    is your Birthday?

33. Alice has to make security checks as a part of

    her daily life

34. Security is not a state, it’s a process

35. Security is a collective responsibility

36. DevSecOps

37. GitLab is constantly improving Security tools and brings new features

    every month.

38. Stay safe

39. Dziękuję bardzo.