Put yourself in the appsec pipeline

Transcript

1. Put yourself in the
   #appsec pipeline
   

   View Slide

2. Change your Yahoo Password now (ymail,
   flickr, …)!
   http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-
   confirm-massive-data-breach/90824934/
   

   View Slide

3. $ whoami
   • Application security engineer 15
   years in #appsec industry
   • Tech blogger @codiceinsicuro
   • Love writing security source code
   scanners (Owasp Orizon,
   dawnscanner)
   • Love talking about application
   security
   • #appsec tweets available at
   @thesp0nge
   

   View Slide

4. Agenda
   • Talk about testing scenarios
   • Talk about what an appsec pipe is and what do you
   need to create one
   • Be inspired, go home and do some homework
   

   View Slide

5. What do I have to test?
   

   View Slide

6. View Slide

7. Testing scenarios
   

   View Slide

8. We don’t do any test
   (and we are aware of it)
   

   View Slide

9. We don’t do any test
   (but I’ll love to do)
   

   View Slide

10. We do security test
    (but I want to learn more about the pipeline)
    

    View Slide

11. How do we perform
    security tests?
    

    View Slide

12. The unacceptable solution…
    • Tests must be done:
    • in production environment
    • before going live
    • Testers need:
    • the code being frozen
    • some “fake” accounts
    • a couple of week to do the job
    

    View Slide

13. … for a difficult task
    • Products can not delay time to market
    release to allow security tests
    • Tests must be performed on each release
    • Often companies do releases on a weekly
    basis
    • There are no fake accounts on a
    production server
    • Code is never on a frozen state
    • This applies to web properties and
    mobile applications
    • Tests are not sawn as investment
    

    View Slide

14. #appsec can’t be done this way
    and we’re the first talking our science to the next level
    

    View Slide

15. The application security
    pipeline
    

    View Slide

16. Before we start
    • We need
    • Commitment
    • An organised SDLC
    • A development team aware about
    #appsec topic
    • An #appsec team (with patience and
    some coding skills)
    

    View Slide

17. Then we can build the #appsec pipeline
    (https://www.owasp.org/index.php/OWASP_AppSec_Pipeline)
    

    View Slide

18. The collector tool
    A way for our customer to ask for services, keep track about the progress
    and having results back
    

    View Slide

19. Your favourite collection of #appsec tools
    You may want to cover vulnerability assessment, penetration test, web application
    penetration test and code review at least. Keep calm and let’s go shopping.
    

    View Slide

20. The Orchestrator
    Your customers ask for services, you need an automatic dispatcher mechanism to
    the appropriate tool. Of course you need also something retrieving results too.
    

    View Slide

21. The ticketing system
    You need something to keep track about vulnerabilities, about their history
    and their state.
    

    View Slide

22. The Workflow
    (Glue all together)
    

    View Slide

23. Bonus track - some useful
    tools
    

    View Slide

24. Some tools to check
    • Sinatra with Grape (create HTTP API
    endpoints)
    • Owasp ZAP (WAPT on steroids)
    • Owasp DeepViolet (check your SSL config)
    • Nexpose + nexpose gem (automate
    vulnerability assessment)
    • Brakeman/Dawnscanner (ultimate ruby
    code review)
    • Owasp Orizon (Java security code review)
    • Owasp GLUE gem (pipeline related tool)
    

    View Slide

25. THANKS!
    

    View Slide