Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26

70 vues

Publié le

Speech of Tetiana Chupryna, Backend developer at GitLab, at Ruby Meditation #26 Kyiv 16.02.2019
Next conference - http://www.rubymeditation.com/

We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se.

Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26

  1. 1. Security Scanning Overview Tetiana Chupryna Feb 16 2018Kyiv
  2. 2. Te(a)ti(y)ana
  3. 3. GitLab Te(a)ti(y)ana
  4. 4. GitLab Secure Te(a)ti(y)ana
  5. 5. GitLab Secure dogs Te(a)ti(y)ana
  6. 6. Security Scanning
  7. 7. Application Security Security Scanning
  8. 8. Information Security Application Security Security Scanning
  9. 9. Application security • Defend assets • Search vulnerabilities • Prevent attacks • Disarm treats
  10. 10. a story
  11. 11. Alice
  12. 12. Alice
  13. 13. Alice Bob
  14. 14. Alice Bob Trudy
  15. 15. Alice Bob Trudy
  16. 16. Alice Bob Walter
  17. 17. Common Weakness Enumeration (CWE) • Common language for describing software security weaknesses • Standard measuring stick for software security tools • Common baseline standard for weakness identification, mitigation, and prevention efforts
  18. 18. Common Vulnerabilities and Exposures (CVE) • List of known vulnerabilities inside products • Widely used by many services
  19. 19. Vulnerability • What? (Identifier, Name, Description) • Where? (Location) • How critical? (Severity) • How confident? (Confidence)
  20. 20. Level 1 Your code is a problem
  21. 21. SAST • Static Application Security Testing • Testing from inside out (white-box) • Technology dependent
  22. 22. Tools (owasp.org) • Brakeman - Rails • Codesake Dawn - Ruby (~)
  23. 23. DAST • Dynamic Application Security Testing • Testing from outside (black box) • Live attack on staging • HTTP - lingua-franca
  24. 24. ZAProxy • OWASP Zed Attack Proxy Project • Open source
  25. 25. What else? • Secrets detection • Interactive Application Security Testing (IAST) • Fuzzing
  26. 26. Top 10 Rails vulnerabilities • Failure to Restrict URL Access • Preventing SQLi in Ruby • Cross-Site Scripting (XSS) • Injection • Cross-Site Request Forgery (CSRF) • Insecure Cryptographic Storage • Broken Authentication and Session Management • Invalidated Redirects and Forwards • Insecure Direct Object References • Insufficient Transport Layer Protection • Security Misconfiguration
  27. 27. Level 2 Other’s code is a problem
  28. 28. Dependency Scanning • Software Composition Analysis • Tricky one
  29. 29. Alice Bob Trudy Heidi
  30. 30. “Given enough eyeballs, all bugs are shallow.” –Linus Torvalds
  31. 31. ShellShock existed in the OpenSSL library for more than 22 years
  32. 32. Tools • OWASP Dependency-Check • Gemnasium (part of GitLab) • snyk.io
  33. 33. Level 3 It’s not about code anymore
  34. 34. Container scanning • Scanning Docker images for known vulnerabilities • cause there are dependencies as well
  35. 35. Tools • Clair • Docker Trusted Registry
  36. 36. Alice Bob Trudy Walter
  37. 37. DevOpsSec
  38. 38. Do I need it?
  39. 39. No
  40. 40. Yes
  41. 41. What we do in GitLab? • One tool to rule them all. • Insert secure tools into DevOps cycle. • Tool to help Security Analysts. • Auto-remediate functionality.
  42. 42. Security Dashboard
  43. 43. Use with pipeline sast: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure: true services: - docker:stable-dind script: - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/') - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code artifacts: reports: sast: gl-sast-report.json
  44. 44. Available features • SAST • DAST • Dependency Scanning • Container Scanning • License Management • … and more!
  45. 45. Stay safe!
  46. 46. Photo Credits • @bichon_frise_ally • @hongeunyeong • @arang2o_o • @tofupuppers
  47. 47. Security Scanning Overview

×