Battle-tested code without the battle

Battle-tested code without the battle

Everyone knows that we need to harden our code before it goes into production, but very few actually test for security flaws in their delivery pipeline. We will show a basic continuous delivery pipeline that should be familiar to anyone who has worked with continuous integration, and then proceed to add steps to identify security issues in a typical web application stack.

Presented by @garethr and @wickett at Velocity 2014 in Santa Clara

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

June 24, 2014
Tweet

Transcript

  1. 1.

    Velocity 2014 BATTLE-TESTED CODE WITHOUT THE BATTLE SECURITY TESTING AND

    CONTINUOUS INTEGRATION James Wickett and Gareth Rushgrove
  2. 3.

    #secure-pipeline @garethr // @wickett Goal: Equip you with the theory,

    examples and tools so that you can build a secure pipeline you can lovingly call your very own
  3. 26.

    #secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS /

    SECURITY 100 / 10 / 1 ORDER OF MAGNITUDE
  4. 49.

    #secure-pipeline @garethr // @wickett LAB 0 REVIEW YOU SHOULD HAVE:

    A FORK OF THE REPO UNDERSTANDING OF TRAVIS.YML
  5. 52.

    #secure-pipeline @garethr // @wickett GAUNTLT PRINCIPLES AND PHILOSOPHY Gauntlt comes

    with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License
  6. 54.

    #secure-pipeline @garethr // @wickett GAUNTLT RESOURCES Google Group https://groups.google.com/d/forum/gauntlt Wiki

    https://github.com/gauntlt/gauntlt/wiki Twitter @gauntlt IRC #gauntlt on freenode Issue tracking http://github.com/gauntlt/gauntlt
  7. 80.
  8. 86.
  9. 130.

    #secure-pipeline @garethr // @wickett build("download-and-test") parallel ( { build("zapr") },

    { build("static-analysis") }, { build("code-metrics") }, { build("virus-scan") }, { ignore(FAILURE) { build("bundler-audit") }} ) ignore(FAILURE) { build("integration-test") }
  10. 135.

    #secure-pipeline @garethr // @wickett - job: name: download-and-test display-name: 'Download

    and unit test' builders: - shell: | export NOKOGIRI_USE_SYSTEM_LIBRARIES=true bundle install --path ../cache/vendor bundle exec rake db:setup bundle exec rake test ! scm: - git: url: https://github.com/OWASP/railsgoat.git branches: - master
  11. 148.

    #secure-pipeline @garethr // @wickett Would be nice to see a

    standard emerge here to make a nice plugin more likely
  12. 149.

    #secure-pipeline @garethr // @wickett Name: actionpack Version: 3.2.11 Advisory: OSVDB-103440

    Criticality: Unknown URL: http://osvdb.org/show/osvdb/103440 Title: Denial of Service Vulnerability in Action View when using render :text Solution: upgrade to >= 3.2.17
  13. 155.

    #secure-pipeline @garethr // @wickett test/test.exe: OK ! ----------- SCAN SUMMARY

    ----------- Known viruses: 3419706 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.247 sec (0 m 10 s)
  14. 164.

    #secure-pipeline @garethr // @wickett +----------------------------------+--------+-----------------------------------------+ | Alert | Risk |

    URL | +----------------------------------+--------+-----------------------------------------+ | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password | +----------------------------------+--------+-----------------------------------------+