Introduction
1997 2006 2014
Consultant
Engineer
Software
Architect
Director of
Engineering
Rabble Rouser:
Perl
Java Applet
C++
J2EE
J2EE
Spring
Analytics
Certificate Authority
Vulnerability Scanner
Penetration Test Manager
Pricing
Retail
Banking
Manufacturing
Pharma
Healthcare
Research
Ruby
Rails
Chicago BSides 2011, 2012
Defcon Skytalk
OWASP Chicago, MSP 2013
AppSec USA 2012, 2013
ChicagoRuby 2013
Secure 360
Lone Star Ruby 2013
WindyCityRails 2013
Chicago JUG 2014
RailsConf 2014
Converge 2014
Chicago Coder Conference 2015
MS in CS
Founder
Consultant
Agile
Clojure
Graph Database
Trying to hack a
business model that
succeeds while
helping developers.
Domains:
Projects:
DevOps / Automation
Training
Coaching
Code Review
Plugged in to SDLC
Consulting
Assessments
@mkonda
[email protected]
DevOps
Growing
Slide 4
Slide 4 text
What do I do?
• Bug bounty
• Breaking
• Mostly SDLC
• Training
• Automation
Slide 5
Slide 5 text
Overview
• Hands on with Pipeline for labs
• Quick overview of security tools
• DevOps / Continuous Delivery & Rugged
• Leveraging security automation where possible
Static Analysis Live App Scanning
Dynamic Analysis
Slide 12
Slide 12 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Slide 13
Slide 13 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall
Slide 14
Slide 14 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall Runtime Security Monitoring
Slide 15
Slide 15 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall Runtime Security Monitoring
IP Reputation
Slide 16
Slide 16 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall Runtime Security Monitoring
IP Reputation Anti-Automation
Slide 17
Slide 17 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall Runtime Security Monitoring
IP Reputation Anti-Automation
Penetration Testing
Slide 18
Slide 18 text
Static Analysis Live App Scanning
Dynamic Analysis Dependency Checks
Web Application Firewall Runtime Security Monitoring
IP Reputation Anti-Automation
Penetration Testing
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
B+
C
B+
F
D
D
F
B
A-
C
The items on
the left are
the OWASP
Top 10.
The grades
are mine and
are arbitrary.
https://www.owasp.org/index.php/Top_10_2013-Top_10
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
There is no substitute for
people with knowledge.
Slide 24
Slide 24 text
But we can help
ourselves by leveraging
tools.
Slide 25
Slide 25 text
We just have to be smart
and flexible about it.
Slide 26
Slide 26 text
Lab 2: Running Pipeline on Your Project
docker run jemurai/pipeline:0.8 \
-d \
-f csv \
-v ~/code/location:/tmp/directory/ \
/tmp/directory/
* Due to docker ease of setup, please use a directory within your home directory. It is
possible to do this in other ways, but it requires further setup of shared folders in
virtual box which we want to avoid for the purposes of this workshop.
Slide 27
Slide 27 text
What are your results?
Slide 28
Slide 28 text
Checkpoint: 60?
Slide 29
Slide 29 text
DevOps /
Continuous Delivery
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
Rugged
Slide 32
Slide 32 text
I recognize that software has become a foundation of our
modern world.
I recognize the awesome responsibility that comes with this
foundational role.
I recognize that my code will be used in ways I cannot
anticipate, in ways it was not designed, and for longer than it
was ever intended.
I recognize that my code will be attacked by talented and
persistent adversaries who threaten our physical, economic
and national security.
I recognize these things – and I choose to be rugged.
Slide 33
Slide 33 text
I recognize that software has become a foundation of our
modern world.
I recognize the awesome responsibility that comes with this
foundational role.
I recognize that my code will be used in ways I cannot
anticipate, in ways it was not designed, and for longer than it
was ever intended.
I recognize that my code will be attacked by talented and
persistent adversaries who threaten our physical,
economic and national security.
I recognize these things – and I choose to be rugged.
Slide 34
Slide 34 text
Understand lifecycle
Slide 35
Slide 35 text
Requirements
Design
Code
Test
Maintenance
Classic Waterfall Delivery
Slide 36
Slide 36 text
Requirements
Design
Code
Test
Maintenance
Classic Waterfall Delivery
Security
Slide 37
Slide 37 text
continuous delivery
Slide 38
Slide 38 text
Classic security sees this
and wants to …
Slide 39
Slide 39 text
continuous delivery
Slide 40
Slide 40 text
But we can embrace it.
Slide 41
Slide 41 text
Being able to deploy quickly is
my #1 security feature.
- Nick Galbreath
Slide 42
Slide 42 text
Think incremental
Slide 43
Slide 43 text
Story
Continuous Delivery: The Unit of work is a story
Requirements Design
Code
Test
Slide 44
Slide 44 text
Story
Continuous Delivery: The Unit of Work is a Story
Requirements Design
Code
Test
Security Requirements
Security Unit Tests
Exploratory Testing
Static Analysis on Commit
Code Review
Threat model / attack
surface
Checklists
Understand Dependencies
Slide 45
Slide 45 text
continuous delivery
Code Review
Security Unit Tests
Security Requirements
Slide 46
Slide 46 text
Automate security tools
Slide 47
Slide 47 text
continuous delivery
Security Tool Automation:
Code analysis
Security unit tests
Dynamic scanning
etc.
Slide 48
Slide 48 text
continuous delivery
Security Tests Run
Exploratory Testing Includes Security
Slide 49
Slide 49 text
Lab 3: Getting into the Pipeline Docker Image
1. docker run -i -t —entrypoint=/bin/
bash jemurai/pipeline:0.8
2. cd lib
3. ../bin/pipeline -h
Now you’re running from source.
We can change anything …
Slide 50
Slide 50 text
Checkpoint: 80?
Slide 51
Slide 51 text
Case Study
Slide 52
Slide 52 text
Credit: Matt Tesauro at AppSecEU 2015
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
Slide 53
Slide 53 text
Pipeline Design
Slide 54
Slide 54 text
Overview
• Pipeline is broken into different chunks to try to make it
easy and straightforward to extend in expected ways.
• These illustrate the challenges of security automation.
Mounter Files Code Live Filter Reporter
“Tasks”
Other Internals
• Within “Tasks”, each of the files, code and app
phases of the pipeline can be run selectively as
stages.
Mounter Files Code Live Filter Reporter
“Tasks”
Slide 82
Slide 82 text
ruby bin/pipeline
-l code (Code analysis)
-d (Turn on debug)
-f text (Output format)
/area53/app/
Lab 5: Adding a New Tool to Pipeline
1. docker run -i -t —entrypoint=/bin/
bash jemurai/pipeline:0.8
2. cd pipeline/lib/pipeline/tasks/
3. cp bundler-audit.rb test.rb
4. Edit to always create a finding (or
use the following example for grep)
5. cd /../../lib
6. …/bin/pipeline -t test /tmp/
Slide 85
Slide 85 text
No content
Slide 86
Slide 86 text
Checkpoint: 125?
Slide 87
Slide 87 text
Integrations
Slide 88
Slide 88 text
pre-commit
Slide 89
Slide 89 text
Lab 5: Running Pipeline on a Git Hook
1. Copy /hooks/pre-commit to your
project in /.git/hooks
2. chmod +x pre-commit
3. Edit pre-commit to reflect your path
and tools
4. Regular process:
1. Change a
2. git add
3. git commit -m “Testing”