Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Put yourself in the appsec pipeline

Paolo Perego
September 23, 2016

Put yourself in the appsec pipeline

Building an effective application security pipeline is the necessary
step for each company to establish a meticulous appsec program. Create
secure software is more than run a penetration test or a code review,
just before the deploy and having some automatism can help you in have
a low error rate process.

In this talk we will go through the pipeline building process,
explaining how to automate some boring tasks dedicating ourself to
having fun, playing tricks like pros. At the end of our journey both
tech people than security managers, will have the feeling that using
the pipeline approach, they can lower vulnerabilities, with an
affordable time to market so to make the bosses happy.

Paolo Perego

September 23, 2016
Tweet

More Decks by Paolo Perego

Other Decks in Technology

Transcript

  1. Put yourself in the
    #appsec pipeline

    View full-size slide

  2. Change your Yahoo Password now (ymail,
    flickr, …)!
    http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-
    confirm-massive-data-breach/90824934/

    View full-size slide

  3. $ whoami
    • Application security engineer 15
    years in #appsec industry
    • Tech blogger @codiceinsicuro
    • Love writing security source code
    scanners (Owasp Orizon,
    dawnscanner)
    • Love talking about application
    security
    • #appsec tweets available at
    @thesp0nge

    View full-size slide

  4. Agenda
    • Talk about testing scenarios
    • Talk about what an appsec pipe is and what do you
    need to create one
    • Be inspired, go home and do some homework

    View full-size slide

  5. What do I have to test?

    View full-size slide

  6. Testing scenarios

    View full-size slide

  7. We don’t do any test
    (and we are aware of it)

    View full-size slide

  8. We don’t do any test
    (but I’ll love to do)

    View full-size slide

  9. We do security test
    (but I want to learn more about the pipeline)

    View full-size slide

  10. How do we perform
    security tests?

    View full-size slide

  11. The unacceptable solution…
    • Tests must be done:
    • in production environment
    • before going live
    • Testers need:
    • the code being frozen
    • some “fake” accounts
    • a couple of week to do the job

    View full-size slide

  12. … for a difficult task
    • Products can not delay time to market
    release to allow security tests
    • Tests must be performed on each release
    • Often companies do releases on a weekly
    basis
    • There are no fake accounts on a
    production server
    • Code is never on a frozen state
    • This applies to web properties and
    mobile applications
    • Tests are not sawn as investment

    View full-size slide

  13. #appsec can’t be done this way
    and we’re the first talking our science to the next level

    View full-size slide

  14. The application security
    pipeline

    View full-size slide

  15. Before we start
    • We need
    • Commitment
    • An organised SDLC
    • A development team aware about
    #appsec topic
    • An #appsec team (with patience and
    some coding skills)

    View full-size slide

  16. Then we can build the #appsec pipeline
    (https://www.owasp.org/index.php/OWASP_AppSec_Pipeline)

    View full-size slide

  17. The collector tool
    A way for our customer to ask for services, keep track about the progress
    and having results back

    View full-size slide

  18. Your favourite collection of #appsec tools
    You may want to cover vulnerability assessment, penetration test, web application
    penetration test and code review at least. Keep calm and let’s go shopping.

    View full-size slide

  19. The Orchestrator
    Your customers ask for services, you need an automatic dispatcher mechanism to
    the appropriate tool. Of course you need also something retrieving results too.

    View full-size slide

  20. The ticketing system
    You need something to keep track about vulnerabilities, about their history
    and their state.

    View full-size slide

  21. The Workflow
    (Glue all together)

    View full-size slide

  22. Bonus track - some useful
    tools

    View full-size slide

  23. Some tools to check
    • Sinatra with Grape (create HTTP API
    endpoints)
    • Owasp ZAP (WAPT on steroids)
    • Owasp DeepViolet (check your SSL config)
    • Nexpose + nexpose gem (automate
    vulnerability assessment)
    • Brakeman/Dawnscanner (ultimate ruby
    code review)
    • Owasp Orizon (Java security code review)
    • Owasp GLUE gem (pipeline related tool)

    View full-size slide