Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

DevOpsDays Cuba
October 20, 2016
Technology
0
57

DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

Author: Marialina Ballesteros Hernández
Summary:
Importancia de los Test de seguridad y su utilización en la integración continua. Utilización de la herramienta brakeman para chequear vulnerabilidades de seguridad en el código fuente de proyectos de Ruby. Experiencias con las herramientas Arachni y Zaproxy para “pentesting” automatizado y manual respectivamente.

DevOpsDays Cuba

October 20, 2016
Tweet

More Decks by DevOpsDays Cuba

See All by DevOpsDays Cuba
DevOpsDays Cuba 2017: BigData perspectiva DevOps
devopsdayscuba
0
80
DevOpsDays Cuba 2017: Continuous Delivery with Gitlab Apache Mesos and Marathon
devopsdayscuba
0
570
DevOpsDays Cuba 2017: Workshop - Essential DevOps
devopsdayscuba
0
440
DevOpsDays Cuba 2017: Ignite - Performance test for Web Apps
devopsdayscuba
0
380
DevOpsDays Cuba 2017: El valor de Docker para grupos DevOps
devopsdayscuba
0
390
DevOpsDays Cuba 2017: Starting and Growing Your DevOps Teams
devopsdayscuba
0
290
DevOpsDays Cuba 2017: DEVOPS PITFALLS
devopsdayscuba
0
290
DevOpsDays Cuba 2017: Ignite - Build and install scientific software with EasyBuild in HPC systems
devopsdayscuba
0
310
DevOpsDays Cuba 2017: Ignite - Monitorización más allá de los servicios y sistemas enfoques para Centros de Datos de Nueva Generación
devopsdayscuba
0
320

Other Decks in Technology

See All in Technology
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
150
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
430
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
2
320
現代CSSフレームワークの内部実装とその仕組み
poteboy
6
2k
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
オブザーバビリティの Primary Signals
onk
PRO
0
550
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
Terraformあれやこれ/terraform-this-and-that
emiki
7
620
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
830
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
550
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
710

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
225
17k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
12
1.5k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
Become a Pro
speakerdeck
PRO
10
4.5k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Web development in the modern age
philhawksworth
202
10k
A Philosophy of Restraint
colly
196
16k
The Cult of Friendly URLs
andyhume
74
5.7k
Embracing the Ebb and Flow
colly
79
4.1k
How GitHub Uses GitHub to Build GitHub
holman
468
290k

Transcript

  1. Security Testing for Web Apps using OSS

  2. Marialina Ballesteros Ops team at @MarialinaBall http://www.linkedin.com/in/marialina-ballesteros

  3. Is our Web App ready for production? Test Requirement features

    QA Security

  4. Security & DevOps • Should be involved earlier in development

  5. Security & DevOps • Should be involved earlier in development

    • Should balance the audit/security needs for faster deployments.

  6. Security & DevOps • Should be involved earlier in development

    • Should balance the audit/security needs for faster deployments. • Security, Development, Ops and Testing should be aligned.

  7. Security Testing Automatic Pentesting Manual Pentesting Online Pentesting Source Code

    Analysis

  8. “Penetration testing [is] defined as a legal and authorized attempt

    to locate and successfully exploit computer systems for the purpose of making those systems more secure.” Patrick Engebretson The Basics of Hacking and Penetration Testing

  9. Standard phases for pentesting: Pre-engagement Interactions Intelligence Gathering Threat Modeling

    Vulnerability Analysis Exploitation Post Exploitation Reporting

  10. Test scenarios at Web App PenTesting: Cross Site Scripting SQL

    Injection Broken authentication and session management File Upload flaws Caching Servers Attacks Security Misconfigurations Cross Site Request Forgery Password Cracking

  11. Linux Distro Tools Advanced Penetration Testing Distribution

  12. None

  13. What tools choose • Date Release • Accuracy • False

    Positive • Report

  14. Security Test Tools: Source Code Analysis Brakeman

  15. Security Test Tools: Automatic Pentesting Arachni

  16. Security Test Tools: Manual Pentesting Zap Proxy

  17. Develop Code Commit Source Control Build Trigger Tests Deploy to

    Production Deploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment Manual security test

  18. Web App Security Testing • Identifying unknown vulnerabilities. • Checking

    the effectiveness of the security policies. • Finding the loopholes which can lead to theft of sensitive data.

  19. READY FOR PRODUCTION!!!! NOW THE APP IS MORE SECURE