DevOpsDays Cuba 2016: Ignite - Security Testing for Web Apps using OSS

Slide 1

Slide 1 text

Security Testing for Web Apps using OSS

Slide 2

Slide 2 text

Marialina Ballesteros Ops team at @MarialinaBall http://www.linkedin.com/in/marialina-ballesteros

Slide 3

Slide 3 text

Is our Web App ready for production? Test Requirement features QA Security

Slide 4

Slide 4 text

Security & DevOps ● Should be involved earlier in development

Slide 5

Slide 5 text

Security & DevOps ● Should be involved earlier in development ● Should balance the audit/security needs for faster deployments.

Slide 6

Slide 6 text

Security & DevOps ● Should be involved earlier in development ● Should balance the audit/security needs for faster deployments. ● Security, Development, Ops and Testing should be aligned.

Slide 7

Slide 7 text

Security Testing Automatic Pentesting Manual Pentesting Online Pentesting Source Code Analysis

Slide 8

Slide 8 text

“Penetration testing [is] defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure.” Patrick Engebretson The Basics of Hacking and Penetration Testing

Slide 9

Slide 9 text

Standard phases for pentesting: Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting

Slide 10

Slide 10 text

Test scenarios at Web App PenTesting: Cross Site Scripting SQL Injection Broken authentication and session management File Upload flaws Caching Servers Attacks Security Misconfigurations Cross Site Request Forgery Password Cracking

Slide 11

Slide 11 text

Linux Distro Tools Advanced Penetration Testing Distribution

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

What tools choose ● Date Release ● Accuracy ● False Positive ● Report

Slide 14

Slide 14 text

Security Test Tools: Source Code Analysis Brakeman

Slide 15

Slide 15 text

Security Test Tools: Automatic Pentesting Arachni

Slide 16

Slide 16 text

Security Test Tools: Manual Pentesting Zap Proxy

Slide 17

Slide 17 text

Develop Code Commit Source Control Build Trigger Tests Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment Manual security test

Slide 18

Slide 18 text

Web App Security Testing • Identifying unknown vulnerabilities. • Checking the effectiveness of the security policies. • Finding the loopholes which can lead to theft of sensitive data.

Slide 19

Slide 19 text

READY FOR PRODUCTION!!!! NOW THE APP IS MORE SECURE