Continues Security - OpenTechDay 2017

by Arjan Gelderblom

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

“I admit it’s getting better, a little better all the time. It can’t get more worse!” - The Beatles

Slide 3

Slide 3 text

CONTINUOUS SECURITY

Slide 4

Slide 4 text

HELLO! I am Arjan Gelderblom I can be reached at [email protected] https://keybase.io/bloged

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

WHY? Why burden developers with security?

Slide 8

Slide 8 text

“To a hacker, you're just an IP address. You get hit because you let yourself be an easy mark.” - Ira Winkler

Slide 9

Slide 9 text

Software Development Life Cycle design code test deploy

Slide 10

Slide 10 text

Software Development Life Cycle design code test deploy

Slide 11

Slide 11 text

Software Development Life Cycle design code test deploy

Slide 12

Slide 12 text

Adding Sec to DevOps

Slide 13

Slide 13 text

STARTING POINT

Slide 14

Slide 14 text

Place your screenshot here The Bodgeit Store https://github.com/psiinon/bodgeit

Slide 15

Slide 15 text

OUR INITIAL PIPELINE checkout build test deploy

Slide 16

Slide 16 text

SOURCE CODE

Slide 17

Slide 17 text

You Built a Slack Bot TO READ YOUR TEAM THE NEWS and It Told Everyone Everything http://observer.com/2016/04/slack-bot-benedict-arnold/ https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

Slide 18

Slide 18 text

The sensitive information in these examples has been modified or redacted

Slide 19

Slide 19 text

gittyleaks Scanning source control. https://github.com/kootenpv/gittyleaks

Slide 20

Slide 20 text

gittyleaks node { stage('gittyleaks') { sh 'export LC_ALL=C' sh 'gittyleaks -l [email protected]:psiinon/bodgeit.git' } }

Slide 21

Slide 21 text

gittyleaks https://asciinema.org/a/6x2d74fond1j1mdlt9dpsx0pt

Slide 22

Slide 22 text

FindBugs + FindSecBugs Static code analysis http://findbugs.sourceforge.net/ http://find-sec-bugs.github.io/

Slide 23

Slide 23 text

FindBugs + FindSecBugs Static code analysis node { stage('findbugs') { sh 'findbugs -textui target/project.jar' } }

Slide 24

Slide 24 text

FindBugs + FindSecBugs Static code analysis https://asciinema.org/a/8vgl8gsfj1qhevnr9c6285gkf

Slide 25

Slide 25 text

CURRENT PIPELINE checkout build test deploy analysis

Slide 26

Slide 26 text

TESTING

Slide 27

Slide 27 text

Ever wanted to hack a University? http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ https://threatpost.com/critical-moodle-vulnerability-could-lead-to-server-compromise/124446/

Slide 28

Slide 28 text

79940 (234 countries) Moodle sites registered https://moodle.net/sites/

Slide 29

Slide 29 text

ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Slide 30

Slide 30 text

ZED Attack Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project node { stage('zap-baseline') { sh 'docker run -t owasp/zap2docker-stable zap-baseline.py -t http://172.17.0.2:8080/bodgeit' } }

Slide 31

Slide 31 text

ZED Attack Proxy https://asciinema.org/a/1s2telu6m7vsd4uzxoursd8pt

Slide 32

Slide 32 text

gauntlt Be Mean To Your Code And Like It http://gauntlt.org/

Slide 33

Slide 33 text

gauntlt Be Mean To Your Code And Like It @slow Feature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the following profile: | name | value | | hostname | 172.17.0.2 | Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 8080,443 """ Then the output should match /8080.tcp\s+open/ And the output should not match: """ 443/tcp\s+open """

Slide 34

Slide 34 text

gauntlt Be Mean To Your Code And Like It node { stage('gauntlt') { sh 'gauntlt custom/*/*.attack' } }

Slide 35

Slide 35 text

gauntlt Be Mean To Your Code And Like It https://asciinema.org/a/2tfc8bfzygw6j6xvjgn2pvnia

Slide 36

Slide 36 text

inspec Inspect Your Infrastructure http://inspec.io/

Slide 37

Slide 37 text

inspec Inspect Your Infrastructure https://github.com/chef/inspec/blob/master/docs/profiles.md title '/port-8080 open' # you add controls here control "port 8080" do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title "Port 8080 should be listening" # A human-readable title desc "Checking the port public port ..." # Describe why this is needed tag data: "port" # A tag allows you to associate key tag "security" # information to the test ref "Document A-12", url: 'http://...' # Additional references describe port(8080) do # Actual test it { should be_listening } end end

Slide 38

Slide 38 text

inspec Inspect Your Infrastructure node { stage('inspec') { sh 'inspec exec inspec/example/ -t docker://f782c7f0a177' } }

Slide 39

Slide 39 text

inspec Inspect Your Infrastructure https://asciinema.org/a/4ft5iso3jhu8vbh6shnatr1nk

Slide 40

Slide 40 text

BDD Security Security Testing Framework https://www.continuumsecurity.net/bdd-security/

Slide 41

Slide 41 text

BDD Security Security Testing Framework https://asciinema.org/a/8ixx15uydulugvw1syohgb03g

Slide 42

Slide 42 text

beaker Cloud enabled acceptance testing https://github.com/puppetlabs/beaker

Slide 43

Slide 43 text

CURRENT PIPELINE checkout build test deploy analysis

Slide 44

Slide 44 text

EXTERNAL DEPENDENCIES

Slide 45

Slide 45 text

HACKED http://wololo.net/2017/03/11/nintendo-switch-already-hacked-known-vulnerability/

Slide 46

Slide 46 text

OpenVAS Vulnerability scanning and vulnerability management http://www.openvas.org/

Slide 47

Slide 47 text

Want big impact? USE BIG IMAGE.

Slide 48

Slide 48 text

cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker

Slide 49

Slide 49 text

cvechecker Vulnerability scanning and vulnerability management https://github.com/sjvermeu/cvechecker node { stage('cvechecker') { sh 'find / -type f -perm -o+x > scanlist.txt' sh 'echo "/proc/version" >> scanlist.txt' sh 'cvechecker -b scanlist.txt' sh 'cvechecker -r' } }

Slide 50

Slide 50 text

cvechecker Vulnerability scanning and vulnerability management https://asciinema.org/a/6xtccj8r0qjihh94ui1gu92ma

Slide 51

Slide 51 text

https://alpinelinux.org/

Slide 52

Slide 52 text

Alpine Linux Vulnerability scanning and vulnerability management https://asciinema.org/a/34ihmet34cd4ly523pfaml2uu

Slide 53

Slide 53 text

OWASP Dependency Check https://www.owasp.org/index.php/OWASP_Dependency_Check

Slide 54

Slide 54 text

OWASP Dependency Check node { stage('cvechecker') { sh 'mvn org.owasp:dependency-check-maven:1.4.5:aggregate' } }

Slide 55

Slide 55 text

OWASP Dependency Check https://asciinema.org/a/6ytzredroiwvifzude45n3bcm

Slide 56

Slide 56 text

http://www.networkworld.com/article/3162232/security/that-hearbleed-problem-may-be-more-pervasive-than-you-think.html

Slide 57

Slide 57 text

Updates Base images & dependencies

Slide 58

Slide 58 text

OPEN INFORMATION

Slide 59

Slide 59 text

https://www.owasp.org https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Slide 60

Slide 60 text

Training OWASP WebGoat OWASP SecurityShepherd https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project https://www.owasp.org/index.php/OWASP_Security_Shepherd

Slide 61

Slide 61 text

Software Development Life Cycle design code test deploy

Slide 62

Slide 62 text

TAKEAWAYS

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

THANKS! Any questions? You can find me at [email protected] https://keybase.io/bloged

Slide 65

Slide 65 text

No content