Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOpsDays Cuba 2016: Ignite - Security Testing...

DevOpsDays Cuba
October 20, 2016
Technology
0
68

DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

Author: Marialina Ballesteros Hernández
Summary:
Importancia de los Test de seguridad y su utilización en la integración continua. Utilización de la herramienta brakeman para chequear vulnerabilidades de seguridad en el código fuente de proyectos de Ruby. Experiencias con las herramientas Arachni y Zaproxy para “pentesting” automatizado y manual respectivamente.

DevOpsDays Cuba

October 20, 2016
Tweet

More Decks by DevOpsDays Cuba

See All by DevOpsDays Cuba
DevOpsDays Cuba 2017: BigData perspectiva DevOps
devopsdayscuba
0
89
DevOpsDays Cuba 2017: Continuous Delivery with Gitlab Apache Mesos and Marathon
devopsdayscuba
0
590
DevOpsDays Cuba 2017: Workshop - Essential DevOps
devopsdayscuba
0
510
DevOpsDays Cuba 2017: Ignite - Performance test for Web Apps
devopsdayscuba
0
450
DevOpsDays Cuba 2017: El valor de Docker para grupos DevOps
devopsdayscuba
0
480
DevOpsDays Cuba 2017: Starting and Growing Your DevOps Teams
devopsdayscuba
0
340
DevOpsDays Cuba 2017: DEVOPS PITFALLS
devopsdayscuba
0
340
DevOpsDays Cuba 2017: Ignite - Build and install scientific software with EasyBuild in HPC systems
devopsdayscuba
0
340
DevOpsDays Cuba 2017: Ignite - Monitorización más allá de los servicios y sistemas enfoques para Centros de Datos de Nueva Generación
devopsdayscuba
0
380

Other Decks in Technology

See All in Technology
社外コミュニティで学び社内に活かす共に学ぶプロジェクトの実践/backlogworld2024
nishiuma
0
260
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
【re:Invent 2024 アプデ】 Prompt Routing の紹介
champ
0
140
Wvlet: A New Flow-Style Query Language For Functional Data Modeling and Interactive Data Analysis - Trino Summit 2024
xerial
1
110
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
Postman と API セキュリティ / Postman and API Security
yokawasa
0
200
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
210
UI State設計とテスト方針
rmakiyama
2
430
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
12
3.5k
Jetpack Composeで始めるServer Cache State
ogaclejapan
2
170
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
390

Featured

See All Featured
Scaling GitHub
holman
458
140k
Adopting Sorbet at Scale
ufuk
73
9.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
28
2.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Facilitating Awesome Meetings
lara
50
6.1k
The Language of Interfaces
destraynor
154
24k
How to train your dragon (web standard)
notwaldorf
88
5.7k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Into the Great Unknown - MozCon
thekraken
33
1.5k

Transcript

  1. Security Testing for Web Apps using OSS

  2. Marialina Ballesteros Ops team at @MarialinaBall http://www.linkedin.com/in/marialina-ballesteros

  3. Is our Web App ready for production? Test Requirement features

    QA Security

  4. Security & DevOps • Should be involved earlier in development

  5. Security & DevOps • Should be involved earlier in development

    • Should balance the audit/security needs for faster deployments.

  6. Security & DevOps • Should be involved earlier in development

    • Should balance the audit/security needs for faster deployments. • Security, Development, Ops and Testing should be aligned.

  7. Security Testing Automatic Pentesting Manual Pentesting Online Pentesting Source Code

    Analysis

  8. “Penetration testing [is] defined as a legal and authorized attempt

    to locate and successfully exploit computer systems for the purpose of making those systems more secure.” Patrick Engebretson The Basics of Hacking and Penetration Testing

  9. Standard phases for pentesting: Pre-engagement Interactions Intelligence Gathering Threat Modeling

    Vulnerability Analysis Exploitation Post Exploitation Reporting

  10. Test scenarios at Web App PenTesting: Cross Site Scripting SQL

    Injection Broken authentication and session management File Upload flaws Caching Servers Attacks Security Misconfigurations Cross Site Request Forgery Password Cracking

  11. Linux Distro Tools Advanced Penetration Testing Distribution

  12. None

  13. What tools choose • Date Release • Accuracy • False

    Positive • Report

  14. Security Test Tools: Source Code Analysis Brakeman

  15. Security Test Tools: Automatic Pentesting Arachni

  16. Security Test Tools: Manual Pentesting Zap Proxy

  17. Develop Code Commit Source Control Build Trigger Tests Deploy to

    Production Deploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment Manual security test

  18. Web App Security Testing • Identifying unknown vulnerabilities. • Checking

    the effectiveness of the security policies. • Finding the loopholes which can lead to theft of sensitive data.

  19. READY FOR PRODUCTION!!!! NOW THE APP IS MORE SECURE