Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

Author: Marialina Ballesteros Hernández
Summary:
Importancia de los Test de seguridad y su utilización en la integración continua. Utilización de la herramienta brakeman para chequear vulnerabilidades de seguridad en el código fuente de proyectos de Ruby. Experiencias con las herramientas Arachni y Zaproxy para “pentesting” automatizado y manual respectivamente.

DevOpsDays Cuba

October 20, 2016
Tweet

More Decks by DevOpsDays Cuba

Other Decks in Technology

Transcript

  1. Security Testing for Web Apps using OSS

    View full-size slide

  2. Marialina Ballesteros
    Ops team at
    @MarialinaBall
    http://www.linkedin.com/in/marialina-ballesteros

    View full-size slide

  3. Is our Web App ready for production?
    Test
    Requirement
    features
    QA
    Security

    View full-size slide

  4. Security & DevOps

    Should be involved earlier in development

    View full-size slide

  5. Security & DevOps

    Should be involved earlier in development

    Should balance the audit/security needs for
    faster deployments.

    View full-size slide

  6. Security & DevOps

    Should be involved earlier in development

    Should balance the audit/security needs for
    faster deployments.

    Security, Development, Ops and Testing
    should be aligned.

    View full-size slide

  7. Security Testing
    Automatic
    Pentesting
    Manual
    Pentesting
    Online
    Pentesting
    Source Code
    Analysis

    View full-size slide

  8. “Penetration testing [is] defined as a legal and
    authorized attempt to locate and successfully exploit
    computer systems for the purpose of making those
    systems more secure.”
    Patrick Engebretson
    The Basics of Hacking and Penetration Testing

    View full-size slide

  9. Standard phases for pentesting:
    Pre-engagement Interactions
    Intelligence Gathering
    Threat Modeling
    Vulnerability Analysis
    Exploitation
    Post Exploitation
    Reporting

    View full-size slide

  10. Test scenarios at Web App PenTesting:
    Cross Site Scripting
    SQL Injection
    Broken authentication and session management
    File Upload flaws
    Caching Servers Attacks
    Security Misconfigurations
    Cross Site Request Forgery
    Password Cracking

    View full-size slide

  11. Linux Distro Tools
    Advanced Penetration Testing Distribution

    View full-size slide

  12. What tools choose

    Date Release

    Accuracy

    False Positive

    Report

    View full-size slide

  13. Security Test Tools: Source Code Analysis
    Brakeman

    View full-size slide

  14. Security Test Tools: Automatic Pentesting
    Arachni

    View full-size slide

  15. Security Test Tools: Manual Pentesting
    Zap Proxy

    View full-size slide

  16. Develop
    Code
    Commit
    Source
    Control
    Build
    Trigger
    Tests
    Deploy
    to
    Production
    Deploy
    to Test
    Env
    Report
    &
    Notify
    Publish to
    release
    repository
    Automatic
    security
    test
    SCA
    Test
    Security within Continuous Deployment
    Manual
    security
    test

    View full-size slide

  17. Web App Security Testing
    • Identifying unknown vulnerabilities.
    • Checking the effectiveness of the security policies.
    • Finding the loopholes which can lead to theft of sensitive
    data.

    View full-size slide

  18. READY
    FOR PRODUCTION!!!!
    NOW THE APP IS MORE SECURE

    View full-size slide