Copyright © we45 2020 abhaybhargav Practical DevSecOps Pipelines Abhay Bhargav, we45 

Copyright © we45 2020 abhaybhargav Yours Truly • Founder @ we45 • Chief Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide 

Copyright © we45 2020 abhaybhargav Virtual Training • DevSecOps MasterClass => 1 & 2 July 2020 • Attacking and Defending Containers, Kubernetes and Serverless => June 22-25 2020 • Significant Discount on all courses • URL: store.we45.com • Get Live Training + Access to Labs + Access to Videos + Certification = 

Copyright © we45 2020 abhaybhargav Conference Training 

abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops at several OWASP Events 

Copyright © we45 2020 abhaybhargav Agenda • CI Problems with Security Tools • Security Problems with CI Tools • Developments in Static Analysis • Cloud-Native Pipelines - A New Hope • Demos • FIN 

Copyright © we45 2020 abhaybhargav Pray to the Demo Gods 

Copyright © we45 2020 abhaybhargav CI Problems with Security Tools • “Run MY tool. See MY Dashboard” • Inconsistent APIs • Long-running jobs 

Copyright © we45 2020 abhaybhargav Security Tools - Its all about me! 

Copyright © we45 2020 abhaybhargav Security Tool Narcissism 

Copyright © we45 2020 abhaybhargav Long-running jobs 

Copyright © we45 2020 abhaybhargav Blocking Good Feedback a.k.a Security(-Usability) Issues with CI Tools 

Copyright © we45 2020 abhaybhargav –Several unsung security heroes “Jenkins is the Wordpress of CI” 

Copyright © we45 2020 abhaybhargav –Abhay Bhargav “There’s something very ironic about finding RCEs in a RCE platform” 

Copyright © we45 2020 abhaybhargav Let’s play Outcome Jeopardy! • Authentication Bypass => RCE! • AuthZ Bypass => RCE! • XSS => RCE! • RCE => RCE! 

Copyright © we45 2020 abhaybhargav On top of that… • Not very CD friendly - Especially for “born in cloud” services • Not very cloud/container-native friendly • Not very micro-services friendly 

Copyright © we45 2020 abhaybhargav And in many cases …. 

Copyright © we45 2020 abhaybhargav Better (more Practical) DevSecOps Pipelines 

Copyright © we45 2020 abhaybhargav Areas of Focus • A More effective world of Static Analysis • Test Automation weds DAST/IAST • Cloud-Native DevOps Pipelines 

Copyright © we45 2020 abhaybhargav SAST Tools •Multi-Language (Typically Commercial) SAST Tools •Multi-Language and Platform •Combination of AST and Regex •Source-Sink and linked usage functionality •Single Language/Platform (Typically OSS) SAST Tools •Single Language or Platform •Typically AST based Scanning Tools •No Source-Sink. Typically File and Line-based analysis •Semantic Grep/QL Tools •New Category of SAST Analysis •Semantic Grep or Queries against Source Code (like SQL) •Aims at uncovering flaws at scale 

Copyright © we45 2020 abhaybhargav SAST Test Approaches •Good ol’ Regular Expressions •Abstract Syntax Trees •Semantic Grep or QL 

Copyright © we45 2020 abhaybhargav Errors Code Comments: # Don’t use this!! jwt.decode(something, secret, verify=False) 

Copyright © we45 2020 abhaybhargav SAST with AST 

Copyright © we45 2020 abhaybhargav AST example with Python call nil jwt.decode args local “verify” 

Copyright © we45 2020 abhaybhargav Semgrep and CodeQL 

Copyright © we45 2020 abhaybhargav Demo 

Copyright © we45 2020 abhaybhargav A New Hope 

Copyright © we45 2020 abhaybhargav A (Better) alternative? • No Persistent Compute => Typically with Orchestration (Container) • Cloud-Native: • Integrated Secrets Management • Centralized IAM Implementation • Object Storage • Query Tools (Athena) 

Copyright © we45 2020 abhaybhargav In addition… • Closer to developer workflows => Github, Gitlab, AWS • Container-Native workflows 

Copyright © we45 2020 abhaybhargav Existing Options 

Copyright © we45 2020 abhaybhargav Some unconventional approaches • Test Automation Frameworks for Security Workflows • Step Functions (State Machines) • Flows with Container Orchestration 

Copyright © we45 2020 abhaybhargav Test Automation Driven Workflows • Test Automation Frameworks can be used to trigger all kinds of security workflows • Frameworks like Robot Framework and Gauge are low-maintenance and low- code • Much more suited to developer and QA workflows 

Copyright © we45 2020 abhaybhargav Robot Framework *** Test Cases *** Clone repo from Github clone repository from url ${GIT_URL} ${TO_PATH} Run NodeJSScanner run nodejsscan against source ${TO_PATH} ${RESULTS_PATH} nodejsscan write to orchy ${RESULTS_PATH}/nodejsscan.json ${SECRET} ${ACCESS} ${HOOK} Run NPM Audit against packageJSON run npmaudit against source ${TO_PATH} ${RESULTS_PATH} npmaudit write to orchy ${RESULTS_PATH}/npm_audit.json ${SECRET} ${ACCESS} ${HOOK} Initialize ZAP [Tags] zap_init start gui zap ${ZAP_PATH} sleep 10 zap open url http://${TARGET_URI} Authenticate to Cut the Funds as Admin [Tags] walk_web_service &{res}= POST /users/login {"email": "[email protected]", "password": "spiderman"} Integer response status 200 Boolean response body auth true set suite variable ${TOKEN} ${res.body["token"]} log ${TOKEN} 

Copyright © we45 2020 abhaybhargav Gauge Demo 

Copyright © we45 2020 abhaybhargav Github Actions 

Copyright © we45 2020 abhaybhargav Step Functions • Coordinate AWS services into Serverless Workflows • Can be used for: • AWS Lambda • Fargate • Sagemaker 

Copyright © we45 2020 abhaybhargav Step Functions States • Task • Choice • Fail/Succeed • Pass • Wait • Parallel • Map 

Copyright © we45 2020 abhaybhargav Benefits • Modeling complex workflows • Event-driven => Invoked only as required • No Persistent Compute/Service • Engineering/Developer-first workflow 

Copyright © we45 2020 abhaybhargav 

Copyright © we45 2020 abhaybhargav Demo 

Copyright © we45 2020 abhaybhargav DAST/IAST Workflows 

Copyright © we45 2020 abhaybhargav Data Consumption Possibilities • Orchestron/Other Vulnerability Management tool • Athena (equivalent) to query and render results • Slack/JIRA push, etc 

Copyright © we45 2020 abhaybhargav Conclusions • Think Feedback more than force-fitting into Pipelines • Think beyond CI tools to run CIs. There are some significant constraints • Speed and High Signal Ratio is very important for you to be more effective • Leverage Cloud-Native tooling for “born in cloud/ container-dependent” services abhaybhargav we45