Slide 1

Slide 1 text

Velocity 2014 BATTLE-TESTED CODE WITHOUT THE BATTLE SECURITY TESTING AND CONTINUOUS INTEGRATION James Wickett and Gareth Rushgrove

Slide 2

Slide 2 text

#secure-pipeline @garethr // @wickett THE INTRODUCTION Chapter 1

Slide 3

Slide 3 text

#secure-pipeline @garethr // @wickett Goal: Equip you with the theory, examples and tools so that you can build a secure pipeline you can lovingly call your very own

Slide 4

Slide 4 text

#secure-pipeline @garethr // @wickett #SECURE-PIPELINE

Slide 5

Slide 5 text

#secure-pipeline @garethr // @wickett @garethr

Slide 6

Slide 6 text

#secure-pipeline @garethr // @wickett UK Government Digital Service

Slide 7

Slide 7 text

#secure-pipeline @garethr // @wickett

Slide 8

Slide 8 text

#secure-pipeline @garethr // @wickett

Slide 9

Slide 9 text

#secure-pipeline @garethr // @wickett @wickett

Slide 10

Slide 10 text

#secure-pipeline @garethr // @wickett

Slide 11

Slide 11 text

#secure-pipeline @garethr // @wickett THE THEORY Chapter 2

Slide 12

Slide 12 text

#secure-pipeline @garethr // @wickett WHY DOES THIS MATTER?

Slide 13

Slide 13 text

#secure-pipeline @garethr // @wickett YOU WANT TO DELIVER SECURE CODE

Slide 14

Slide 14 text

#secure-pipeline @garethr // @wickett EVERYONE ELSE WANTS TO…

Slide 15

Slide 15 text

#secure-pipeline @garethr // @wickett Just Ship It!

Slide 16

Slide 16 text

#secure-pipeline @garethr // @wickett SOFTWARE AS A SERVICE

Slide 17

Slide 17 text

#secure-pipeline @garethr // @wickett FRAGILE SOFTWARE AS A SERVICE

Slide 18

Slide 18 text

#secure-pipeline @garethr // @wickett VULNERABLE CODE IS EVERYWHERE

Slide 19

Slide 19 text

#secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security Statistics Report

Slide 20

Slide 20 text

#secure-pipeline @garethr // @wickett YOUR CHOICE OF PROGRAMMING LANGUAGE DOESN'T MATTER

Slide 21

Slide 21 text

#secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security Statistics Report

Slide 22

Slide 22 text

#secure-pipeline @garethr // @wickett PROBLEMS GETS FIXED SLOWLY

Slide 23

Slide 23 text

#secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security Statistics Report

Slide 24

Slide 24 text

#secure-pipeline @garethr // @wickett HOW DID WE GET HERE?

Slide 25

Slide 25 text

#secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS / SECURITY 100 / 10 / 1

Slide 26

Slide 26 text

#secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS / SECURITY 100 / 10 / 1 ORDER OF MAGNITUDE

Slide 27

Slide 27 text

#secure-pipeline @garethr // @wickett SECURITY TOOLS ARE RUN OUT-OF-BAND

Slide 28

Slide 28 text

#secure-pipeline @garethr // @wickett WHAT CAN WE DO?

Slide 29

Slide 29 text

#secure-pipeline @garethr // @wickett YOU SHOULD BE RUNNING SECURITY TESTS IN YOUR CONTINUOUS DELIVERY PIPELINE

Slide 30

Slide 30 text

#secure-pipeline @garethr // @wickett AND IT’S NOT THAT HARD TO DO

Slide 31

Slide 31 text

#secure-pipeline @garethr // @wickett PASSIVE SCANNING Static analysis Passive

Slide 32

Slide 32 text

#secure-pipeline @garethr // @wickett ACTIVE SCANNING Testing the running application Active

Slide 33

Slide 33 text

#secure-pipeline @garethr // @wickett INSECURE DEPENDENCIES Secure your supply chain Dependencies

Slide 34

Slide 34 text

#secure-pipeline @garethr // @wickett SOURCE CODE INTEGRITY Is that really your code? Integrity

Slide 35

Slide 35 text

#secure-pipeline @garethr // @wickett WHAT’S THE BENEFIT?

Slide 36

Slide 36 text

#secure-pipeline @garethr // @wickett CATCH EASY PROBLEMS QUICKLY

Slide 37

Slide 37 text

#secure-pipeline @garethr // @wickett FOCUS PENETRATION TESTING ON ATTACK SIMULATIONS OR OTHER HARD PROBLEMS

Slide 38

Slide 38 text

#secure-pipeline @garethr // @wickett RUGGED JOURNEY

Slide 39

Slide 39 text

#secure-pipeline @garethr // @wickett RUGGEDDEV.ORG

Slide 40

Slide 40 text

#secure-pipeline @garethr // @wickett QUALITY TRANSPARENCY VALUE CREATION CULTURE INFUSION

Slide 41

Slide 41 text

#secure-pipeline @garethr // @wickett USING TRAVIS Chapter 3

Slide 42

Slide 42 text

#secure-pipeline @garethr // @wickett LAB 0

Slide 43

Slide 43 text

#secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab0

Slide 44

Slide 44 text

#secure-pipeline @garethr // @wickett YOU NEED: GITHUB ACCOUNT TRAVIS CI ACCOUNT

Slide 45

Slide 45 text

#secure-pipeline @garethr // @wickett FORK THE REPO

Slide 46

Slide 46 text

#secure-pipeline @garethr // @wickett

Slide 47

Slide 47 text

#secure-pipeline @garethr // @wickett

Slide 48

Slide 48 text

#secure-pipeline @garethr // @wickett

Slide 49

Slide 49 text

#secure-pipeline @garethr // @wickett LAB 0 REVIEW YOU SHOULD HAVE: A FORK OF THE REPO UNDERSTANDING OF TRAVIS.YML

Slide 50

Slide 50 text

#secure-pipeline @garethr // @wickett GAUNTLT Be mean to your code Active

Slide 51

Slide 51 text

#secure-pipeline @garethr // @wickett BUILT ON CUCUMBER

Slide 52

Slide 52 text

#secure-pipeline @garethr // @wickett GAUNTLT PRINCIPLES AND PHILOSOPHY Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License

Slide 53

Slide 53 text

#secure-pipeline @garethr // @wickett

Slide 54

Slide 54 text

#secure-pipeline @garethr // @wickett GAUNTLT RESOURCES Google Group https://groups.google.com/d/forum/gauntlt Wiki https://github.com/gauntlt/gauntlt/wiki Twitter @gauntlt IRC #gauntlt on freenode Issue tracking http://github.com/gauntlt/gauntlt

Slide 55

Slide 55 text

#secure-pipeline @garethr // @wickett THE GAUNTLT BOOK [email protected] FREE!

Slide 56

Slide 56 text

#secure-pipeline @garethr // @wickett LAB 1

Slide 57

Slide 57 text

#secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab1

Slide 58

Slide 58 text

#secure-pipeline @garethr // @wickett In Travis CI set the repo to ‘ON’

Slide 59

Slide 59 text

#secure-pipeline @garethr // @wickett Add the Travis badge in README.md

Slide 60

Slide 60 text

#secure-pipeline @garethr // @wickett Add the Travis badge in README.md

Slide 61

Slide 61 text

#secure-pipeline @garethr // @wickett

Slide 62

Slide 62 text

#secure-pipeline @garethr // @wickett

Slide 63

Slide 63 text

#secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG! lab_1/.travis.yml

Slide 64

Slide 64 text

#secure-pipeline @garethr // @wickett

Slide 65

Slide 65 text

#secure-pipeline @garethr // @wickett

Slide 66

Slide 66 text

#secure-pipeline @garethr // @wickett READ THE RAKEFILE! rails-travis-example/Rakefile

Slide 67

Slide 67 text

#secure-pipeline @garethr // @wickett

Slide 68

Slide 68 text

#secure-pipeline @garethr // @wickett

Slide 69

Slide 69 text

#secure-pipeline @garethr // @wickett FINALLY, ATTACKS!

Slide 70

Slide 70 text

#secure-pipeline @garethr // @wickett

Slide 71

Slide 71 text

#secure-pipeline @garethr // @wickett NMAP

Slide 72

Slide 72 text

#secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

Slide 73

Slide 73 text

#secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

Slide 74

Slide 74 text

#secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

Slide 75

Slide 75 text

#secure-pipeline @garethr // @wickett HEARTBLEED AND SSLYZE

Slide 76

Slide 76 text

#secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

Slide 77

Slide 77 text

#secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

Slide 78

Slide 78 text

#secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

Slide 79

Slide 79 text

#secure-pipeline @garethr // @wickett Copy text from lab_1/.travis.yml and paste into the main .travis.yml

Slide 80

Slide 80 text

#secure-pipeline @garethr // @wickett LAB 1 REVIEW YOU SHOULD HAVE: TRAVIS CI SETUP WITH 2 RUNNING ATTACKS

Slide 81

Slide 81 text

#secure-pipeline @garethr // @wickett

Slide 82

Slide 82 text

#secure-pipeline @garethr // @wickett http://localhost:3000

Slide 83

Slide 83 text

#secure-pipeline @garethr // @wickett alert('The Obligatory XSS Popup');

Slide 84

Slide 84 text

#secure-pipeline @garethr // @wickett alert('The Obligatory XSS Popup');

Slide 85

Slide 85 text

#secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email][email protected]&user[passwo rd]=testtest',check='Logout [email protected]' \ -e /users/sign_out

Slide 86

Slide 86 text

#secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email][email protected]&user[passwo rd]=testtest',check='Logout \[email protected]' \ -e /users/sign_out http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session

Slide 87

Slide 87 text

#secure-pipeline @garethr // @wickett WANT XSS PAYLOADS? ! beefproject.com

Slide 88

Slide 88 text

#secure-pipeline @garethr // @wickett LAB 2

Slide 89

Slide 89 text

#secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab2

Slide 90

Slide 90 text

#secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG lab_2/.travis.yml

Slide 91

Slide 91 text

#secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

Slide 92

Slide 92 text

#secure-pipeline @garethr // @wickett ./Gemfile

Slide 93

Slide 93 text

#secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

Slide 94

Slide 94 text

#secure-pipeline @garethr // @wickett ./Rakefile

Slide 95

Slide 95 text

#secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

Slide 96

Slide 96 text

#secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

Slide 97

Slide 97 text

#secure-pipeline @garethr // @wickett Copy text from lab_2/.travis.yml and paste into the main .travis.yml

Slide 98

Slide 98 text

#secure-pipeline @garethr // @wickett LAB 2 REVIEW 2-3 Travis CI Passing Builds

Slide 99

Slide 99 text

#secure-pipeline @garethr // @wickett LAB 3

Slide 100

Slide 100 text

#secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab3

Slide 101

Slide 101 text

#secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

Slide 102

Slide 102 text

#secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

Slide 103

Slide 103 text

#secure-pipeline @garethr // @wickett ./Rakefile

Slide 104

Slide 104 text

#secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

Slide 105

Slide 105 text

#secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

Slide 106

Slide 106 text

#secure-pipeline @garethr // @wickett ./test/attacks/backdoors.attack

Slide 107

Slide 107 text

#secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

Slide 108

Slide 108 text

#secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

Slide 109

Slide 109 text

#secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

Slide 110

Slide 110 text

#secure-pipeline @garethr // @wickett Copy text from lab_3/.travis.yml and paste into the main .travis.yml

Slide 111

Slide 111 text

#secure-pipeline @garethr // @wickett LAB 3 REVIEW 3 Travis CI Passing Builds

Slide 112

Slide 112 text

#secure-pipeline @garethr // @wickett CODE CLIMATE Passive

Slide 113

Slide 113 text

#secure-pipeline @garethr // @wickett

Slide 114

Slide 114 text

#secure-pipeline @garethr // @wickett USING JENKINS Chapter 4

Slide 115

Slide 115 text

#secure-pipeline @garethr // @wickett VIRTUAL MACHINES FOR THE WORKSHOP KINDLY PROVIDED BY

Slide 116

Slide 116 text

#secure-pipeline @garethr // @wickett EVERYONE GETS AN INSTANCE

Slide 117

Slide 117 text

#secure-pipeline @garethr // @wickett domains.secure-pipeline.com

Slide 118

Slide 118 text

#secure-pipeline @garethr // @wickett WHY JENKINS?

Slide 119

Slide 119 text

#secure-pipeline @garethr // @wickett POPULARITY AND FAMILIARITY

Slide 120

Slide 120 text

#secure-pipeline @garethr // @wickett ALL THE BASICS OUT OF THE BOX

Slide 121

Slide 121 text

#secure-pipeline @garethr // @wickett LIST JOBS

Slide 122

Slide 122 text

#secure-pipeline @garethr // @wickett

Slide 123

Slide 123 text

#secure-pipeline @garethr // @wickett SEE INDIVIDUAL TEST RUNS

Slide 124

Slide 124 text

#secure-pipeline @garethr // @wickett

Slide 125

Slide 125 text

#secure-pipeline @garethr // @wickett HIGHLY EXTENSIBLE

Slide 126

Slide 126 text

#secure-pipeline @garethr // @wickett GATHER METRICS

Slide 127

Slide 127 text

Requires Sloccount

Slide 128

Slide 128 text

#secure-pipeline @garethr // @wickett CRAFT PIPELINES Jenkins Build Flow, a DSL for Jenkins pipelines

Slide 129

Slide 129 text

#secure-pipeline @garethr // @wickett build(“first job") build(“second job") !

Slide 130

Slide 130 text

#secure-pipeline @garethr // @wickett build("download-and-test") parallel ( { build("zapr") }, { build("static-analysis") }, { build("code-metrics") }, { build("virus-scan") }, { ignore(FAILURE) { build("bundler-audit") }} ) ignore(FAILURE) { build("integration-test") }

Slide 131

Slide 131 text

Requires Jenkins Build Graph

Slide 132

Slide 132 text

#secure-pipeline @garethr // @wickett CONFIGURATION AS CODE Jenkins Job Builder

Slide 133

Slide 133 text

#secure-pipeline @garethr // @wickett BECAUSE SHARING PRACTICES IS IMPORTANT

Slide 134

Slide 134 text

#secure-pipeline @garethr // @wickett Jenkins Job Builder From OpenStack Domain specific language for jobs Uses Jenkins API

Slide 135

Slide 135 text

#secure-pipeline @garethr // @wickett - job: name: download-and-test display-name: 'Download and unit test' builders: - shell: | export NOKOGIRI_USE_SYSTEM_LIBRARIES=true bundle install --path ../cache/vendor bundle exec rake db:setup bundle exec rake test ! scm: - git: url: https://github.com/OWASP/railsgoat.git branches: - master

Slide 136

Slide 136 text

#secure-pipeline @garethr // @wickett Easily automated Puppet module from Opentable

Slide 137

Slide 137 text

#secure-pipeline @garethr // @wickett SECURITY TESTING WITH JENKINS

Slide 138

Slide 138 text

#secure-pipeline @garethr // @wickett WE NEED AN APP TO TEST

Slide 139

Slide 139 text

#secure-pipeline @garethr // @wickett A vulnerable Rails application RailsGoat Designed for testing

Slide 140

Slide 140 text

#secure-pipeline @garethr // @wickett A vulnerable PHP application WackoPicko

Slide 141

Slide 141 text

#secure-pipeline @garethr // @wickett A vulnerable Node application NodeGoat You get the idea

Slide 142

Slide 142 text

#secure-pipeline @garethr // @wickett BRAKEMAN Static analysis Passive

Slide 143

Slide 143 text

#secure-pipeline @garethr // @wickett Brakeman Requires

Slide 144

Slide 144 text

#secure-pipeline @garethr // @wickett Get warnings of potential security vulnerabilities See new warnings as well as fixed ones

Slide 145

Slide 145 text

#secure-pipeline @garethr // @wickett Dig down into the line of code that triggered the warning

Slide 146

Slide 146 text

#secure-pipeline @garethr // @wickett BUNDLER AUDIT Finding insecure dependencies Dependecies

Slide 147

Slide 147 text

#secure-pipeline @garethr // @wickett Based on work by rubysec.com

Slide 148

Slide 148 text

#secure-pipeline @garethr // @wickett Would be nice to see a standard emerge here to make a nice plugin more likely

Slide 149

Slide 149 text

#secure-pipeline @garethr // @wickett Name: actionpack Version: 3.2.11 Advisory: OSVDB-103440 Criticality: Unknown URL: http://osvdb.org/show/osvdb/103440 Title: Denial of Service Vulnerability in Action View when using render :text Solution: upgrade to >= 3.2.17

Slide 150

Slide 150 text

#secure-pipeline @garethr // @wickett Alternatives for other languages SafeNuGet OWASP Dependency Check NSP (Node.js)

Slide 151

Slide 151 text

#secure-pipeline @garethr // @wickett Also available in SaaS Gemnasium Supports Ruby, Node, Python, PHP

Slide 152

Slide 152 text

#secure-pipeline @garethr // @wickett CLAMAV Virus scanning Integrity

Slide 153

Slide 153 text

#secure-pipeline @garethr // @wickett Open source virus scanner

Slide 154

Slide 154 text

#secure-pipeline @garethr // @wickett clamscan dir-name

Slide 155

Slide 155 text

#secure-pipeline @garethr // @wickett test/test.exe: OK ! ----------- SCAN SUMMARY ----------- Known viruses: 3419706 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.247 sec (0 m 10 s)

Slide 156

Slide 156 text

#secure-pipeline @garethr // @wickett Requires ClamAV

Slide 157

Slide 157 text

#secure-pipeline @garethr // @wickett GIT SIGNING Integrity (not implemented in our example)

Slide 158

Slide 158 text

#secure-pipeline @garethr // @wickett Git supports GPG signing Sign every commit Squash commits Sign merge commits

Slide 159

Slide 159 text

#secure-pipeline @garethr // @wickett ZAPR Active security scanner Active

Slide 160

Slide 160 text

#secure-pipeline @garethr // @wickett OWASP ZAP Web interface HTTP proxy API

Slide 161

Slide 161 text

#secure-pipeline @garethr // @wickett Zapr Command line scanner based on ZAP

Slide 162

Slide 162 text

#secure-pipeline @garethr // @wickett zapr --summary http://example.com/

Slide 163

Slide 163 text

#secure-pipeline @garethr // @wickett Also provides JSON output

Slide 164

Slide 164 text

#secure-pipeline @garethr // @wickett +----------------------------------+--------+-----------------------------------------+ | Alert | Risk | URL | +----------------------------------+--------+-----------------------------------------+ | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password | +----------------------------------+--------+-----------------------------------------+

Slide 165

Slide 165 text

#secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

Slide 166

Slide 166 text

#secure-pipeline @garethr // @wickett A working example github.com/secure-pipeline/node-travis-example Zapr testing NodeGoat

Slide 167

Slide 167 text

#secure-pipeline @garethr // @wickett Other scanners skipfish nikto w3af arachni github.com/garethr/pentesting-playground

Slide 168

Slide 168 text

#secure-pipeline @garethr // @wickett CONCLUSIONS Chapter 5

Slide 169

Slide 169 text

#secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

Slide 170

Slide 170 text

#secure-pipeline @garethr // @wickett ADD ONE STEP TO YOUR CI PIPELINE TODAY

Slide 171

Slide 171 text

#secure-pipeline @garethr // @wickett GET INVOLVED AT github.com/secure-pipeline

Slide 172

Slide 172 text

#secure-pipeline @garethr // @wickett OFFICE HOURS WED, 11:30AM, TABLE 3

Slide 173

Slide 173 text

#secure-pipeline @garethr // @wickett ANY QUESTIONS? The End