All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017
•Télécharger en tant que PPTX, PDF•
0 j'aime•254 vues
DevOpsDays Tel Aviv 2017
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017
Similaire à All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017 (20)
Plus de DevOpsDays Tel Aviv
Plus de DevOpsDays Tel Aviv (20)
Dernier
Dernier (20)
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017
- 1. Dynamic Security Testing November 2017 @omerlh @yshayy
- 4. And it affects the stock price... disclosed
- 7. Will you be the next Equifax?
- 8. What can we do? ● Threat Modeling ● Design/Code review ● Bug bounties ● Security tests ● And many more…
- 9. Security Tests in CI
- 10. What's a feature management solution?
- 11. Let’s try to change the design a bit to increase engagement Demo e-commerce app Example 1 - A/B Testing
- 12. Feature flags
- 13. Tweek is mission critical
- 14. Tweek is open source...
- 15. GitHub Flow Source: GitHub Checks - Quality Feedback
- 17. Security Department Source: IT Crowd
- 18. Can we add security checks?
- 19. The best defense is a good offense Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
- 20. And run it in CI Let’s take a hacking tool
- 21. OWASP Zap
- 22. OWASP Zaproxy https://www.openhub.net/p/zaproxy Free and Open Source hacking tool
- 24. Zap has two modes: Passive Active
- 27. Passive Mode
- 28. What Zap does? ● Inspecting request and response ● Run passive scan rules: ○ Cookies misconfiguration ○ Security HTTP Headers ○ Mixed Content ○ And many more
- 29. Setup Proxy
- 30. Browse Editor
- 31. Many findings
- 32. Potential issue
- 33. Why?
- 34. Zap does not only find the issues It will also help you fix them!
- 35. Active Mode
- 36. What Zap does? ● Find all URLS/Paths ● Run active scan rules: ○ SQL injections ○ XSS ○ Directory browsing ○ Remote file inclusion ○ And many more
- 38. Zap can parse the spec
- 39. And now we can attack it…
- 40. Let’s push the red button
- 41. Now relax and drink some coffee
- 42. Massive attack
- 43. Many findings
- 44. Potential issue
- 45. Why?
- 46. Security Report - 2017
- 48. And run it in CI Let’s take a Hacking Tool
- 49. Zap has two modes: Passive Active
- 50. Passive Mode
- 51. Tweek’s Security Testing Tweek API Tweek Editor Integration Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
- 52. Let’s use Docker ● Tweek is designed as a multi-container app ● Every microservice has an offical Docker image ● Tweek uses Docker-native CI (Codefresh) ● Test suites also run as docker containers ● Zap has an official docker image
- 53. Containerized them all! Tweek API Tweek Editor Smoke Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
- 55. docker-compose is widely supported
- 56. Running it in CI
- 57. Zap API
- 59. Curl/CLI/SDK
- 60. So we have Security Tests...
- 61. But it’s not perfect…
- 62. OWASP Glue
- 63. OWASP Glue Security Tool Filtering Reporting Free and Open Source CI tool
- 64. Let’s add some glue to our CI
- 65. Using Glue ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://editor --finding-file-path /usr/src/wrk/glue.json
- 66. Let’s look at the findings…
- 67. Zap’s findings for the API ● Insecure cookies ● Missing security headers ● Insecure hash FIXED FIXED IGNORE
- 68. Active Mode
- 69. Simply docker docker run -t --net=host -v $(pwd):/zap/wrk owasp/zap2docker-weekly zap-api-scan.py -t http://localhost:4003/api/swagger.json -f openapi -r report.html Find out more on Zap’s wiki...
- 72. So we have dynamic security tests...
- 73. Let’s see if it works…
- 74. Should I approve this pull request?
- 77. But the tests are failing...
- 78. Let's see why...
- 80. Conclusion
- 81. Security Testing Options Passive (Proxy) Active (OpenAPI) Simple to integrate Simple to integrate Wide coverage Wide Coverage Fast Slow Mixing tests types Dedicated tests types
- 83. GitHub Only?
- 84. How can you use it?
- 85. Useful links ● Pull Request – adding security tests to Tweek ● Malicious Pull Request ● Demo repo – Adding security tests to vulnerable app - Juice Shop ● Blog Post – how I added security tests to Tweek @omerlh @yshayy
- 86. One tool in the toolbox
- 87. Open Source is all about Community
Notes de l'éditeur
- Thank you for having me Are you running tests in you CI? How? Why Can it be easy?
- Who heard on the breach Who heard without the breack
- It will happen to you Run tests in CI
- What is security tests – tests that can test your code and how we did it
- Talk about what is OWASP- non profit, wide and popular
- Say this is hackin tool, I’ll explain in a minute how
- I’m going to show the manual approach
- Add Tweek Postman
- 2015
- False positive filtering
- Glue ease integration of security tools into CI How? Glue can take many security tools <click> This is just a sample, already more than 15 supported And let you define filters <click> and reporters <click> Filters let you filter issues raised by the tool, report control on how you visualize them So you can write your own filters and reporters and they will apply to any new seuciryt tool that you will add to glue
- Add failure/success
- Add atomic pitria
- July 29 names, social security numbers, birth dates, home addresses, and in some cases, driving license information. 143 million Americans are said to be affected – half of US
- Go home and take a look at your CI
- Let’s continue the dicussion in the open space
- And to have as many tools – open source need you