Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Конвейер непрерывной проверки приложений на безопасность

Конвейер непрерывной проверки приложений на безопасность

Доклад Алексея Дремина для PDUG-секции на форуме PHDays 9.

Transcript

  1. Заголовок ptsecurity.com AppSec Pipeline Application Security Lead Dremin Alexey

  2. Заголовок 2 • Security Engineer / Application Security Lead •

    CISSP Professional • What I do: • DevSecOps • Vulnerability management • Design architecture of infrastructure (AWS/Azure) • Development • Twitter: @alekseidremin About me
  3. Заголовок • All products mentioned in the presentation are given

    merely as an example. • Their mention should not be considered as a recommendation for the use of these particular products. • Disclaimer 3
  4. Заголовок 4 • Know what is happening in our source

    code • Know which libraries we’re using. Licensing issues? Vulnerabilities? • Find the problems as early as possible: shift left • Company is growing very quickly: this cannot be a manual process Why do we need security in our CI/CD pipeline?
  5. Заголовок 5 • Reduce the risk of being hacked, as

    soon as possible • Stay compliant with legal team’s policies on licenses How will it help?
  6. Заголовок 6 Application Security Pipeline

  7. Заголовок 7 SAST Tools?

  8. Заголовок 8 •Free/Free minimum: • OWASP Dependency Check • NPM

    audit • Snyk • Safety • RetireJS •Commercial: • WhiteHat • Veracode (https://www.sourceclear.com/) • Nexus-auditor • PT Application Inspector • and many others For most of commercial SAST that feature is already by default Dependency Checkers?
  9. Заголовок 9 • Scan Python code • Identifies vulnerabilities in

    Python code third party libraries • Can be your database, or someone else’s (e.g., NIST NVD) • Get it here: https://github.com/pyupio/safety Internal vulnerability database dependency checker
  10. Заголовок 10 • Free (for python) • Bandit https://github.com/openstack/bandit •

    Pyt https://github.com/python-security/pyt • Pyre https://github.com/facebook/pyre-check • SonarQube (more for developers) • Commercial • WhiteHat • Veracode • Checkmarx • Synopsis • PT Application Inspector Source code checkers?
  11. Заголовок 11 • Use security guidelines for frameworks • Search

    specific dangerous words in code such as: • For Django - mark_safe(), extra(), RawSQL • For React – dangerouslySetInnerHTML() or innerHTML • Catch changes: • What and when it happened • Configuration files • requirements.txt/packages.lock Catch something dangerous
  12. Заголовок 12 • Safety in enterprise versions is able to

    provide info about licenses of dependencies • ScanCode toolkit • Veracode/Whitehat and other commercial scanners • AquaSec checks licenses of libraries in docker images Check licenses of used dependencies?
  13. Заголовок 13 • Many source code scanners do it •

    But they can’t cover all situations • Use specialized tools like: • GitLeaks • TruffleHog • Gitrob • and many other clones. • User defined patterns • Look for the patterns in: • log aggregation tools (e.g., Splunk) • Messaging apps (e.g., Slack) • Ticket systems such as JIRA Hunt for leaked credentials: problems
  14. Заголовок 14 DAST

  15. Заголовок 15 Integration with SQA automatic tests

  16. Заголовок 16 • Burp in docker • Active and Passive

    mode • Get reports from Burp • vmware/burp-rest-api REST/JSON API to the Burp Burp
  17. Заголовок 17 • Jenkins is core • All our tools

    running in Jenkins. • All results store in s3 bucket and specific vulnerability management db • Parametrized Jenkins jobs • Manage Jenkins from source code Jenkins
  18. Заголовок 18 • DefectDojo • ThreadFix • Faradaysec • Dradis

    • ArcherySec Do you want to manage results and how?
  19. Заголовок 19 DefectDojo

  20. Заголовок 20 • Import scan results of various security tools

    by default • Your own plugins for uploaded results of security tools • Equivalent findings get marked as duplicate Important things about Vulnerability management program
  21. Заголовок 21 • Mark findings as false, true positive •

    Similar findings are merged • Set and show remediation timeframes • Jira/Slack/Email for notification Important things about Vulnerability management program
  22. Заголовок 22 •Integration with our chosen vulnerability management program •Get

    reports about new findings every day. •Get information about which findings is old and doesn’t appear more. •Maybe problems was fixed or something was broken in your scans. Notifications
  23. Заголовок 23 Notifications

  24. Заголовок 24 • Tools: • Security Code Warrior • Veracode

    • Checkmarx • Start your internal guideline for developers: • Which libs should be used • Best security practice for frameworks • Make friends with the dev team who care about security • Transparency of your job for dev team. Do not only notify them, talk to them is not less important. Developer Education program
  25. Заголовок ptsecurity.com Спасибо! Спасибо!