Speech of Tetiana Chupryna, Backend developer at GitLab, at Ruby Meditation #26 Kyiv 16.02.2019 Next conference - http://www.rubymeditation.com/ We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se. Announcements and conference materials https://www.fb.me/RubyMeditation News https://twitter.com/RubyMeditation Photos https://www.instagram.com/RubyMeditation The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation

1. Security Scanning
Overview
Tetiana Chupryna
Feb 16 2018Kyiv

2. Te(a)ti(y)ana

3. GitLab
Te(a)ti(y)ana

4. GitLab
Secure
Te(a)ti(y)ana

5. GitLab
Secure
dogs
Te(a)ti(y)ana

7. Security Scanning

8. Application Security
Security Scanning

9. Information Security
Application Security
Security Scanning

11. Application security
• Defend assets
• Search vulnerabilities
• Prevent attacks
• Disarm treats

12. a story

13. Alice

14. Alice

15. Alice Bob

16. Alice Bob
Trudy

17. Alice Bob
Trudy

18. Alice Bob
Walter

19. Common Weakness
Enumeration (CWE)
• Common language for describing software security
weaknesses
• Standard measuring stick for software security
tools
• Common baseline standard for weakness
identification, mitigation, and prevention efforts

20. Common Vulnerabilities
and Exposures (CVE)
• List of known vulnerabilities inside products
• Widely used by many services

21. Vulnerability
• What? (Identifier, Name, Description)
• Where? (Location)
• How critical? (Severity)
• How confident? (Confidence)

22. Level 1
Your code is a problem

23. SAST
• Static Application Security Testing
• Testing from inside out (white-box)
• Technology dependent

24. Tools (owasp.org)
• Brakeman - Rails
• Codesake Dawn - Ruby (~)

25. DAST
• Dynamic Application Security Testing
• Testing from outside (black box)
• Live attack on staging
• HTTP - lingua-franca

26. ZAProxy
• OWASP Zed Attack Proxy Project
• Open source

27. What else?
• Secrets detection
• Interactive Application Security Testing (IAST)
• Fuzzing

28. Top 10 Rails
vulnerabilities
• Failure to Restrict URL Access
• Preventing SQLi in Ruby
• Cross-Site Scripting (XSS)
• Injection
• Cross-Site Request Forgery (CSRF)
• Insecure Cryptographic Storage
• Broken Authentication and Session
Management
• Invalidated Redirects and Forwards
• Insecure Direct Object References
• Insufficient Transport Layer Protection
• Security Misconfiguration

29. Level 2
Other’s code is a problem

30. Dependency Scanning
• Software Composition Analysis
• Tricky one

31. Alice Bob
Trudy
Heidi

32. “Given enough eyeballs, all bugs are
shallow.”
–Linus Torvalds

33. ShellShock existed in the OpenSSL
library for more than 22 years

34. Tools
• OWASP Dependency-Check
• Gemnasium (part of GitLab)
• snyk.io

35. Level 3
It’s not about code anymore

36. Container scanning
• Scanning Docker images for known vulnerabilities
• cause there are dependencies as well

37. Tools
• Clair
• Docker Trusted Registry

39. Alice Bob
Trudy
Walter

41. DevOpsSec

42. Do I need it?

43. No

44. Yes

45. What we do in GitLab?
• One tool to rule them all.
• Insert secure tools into DevOps cycle.
• Tool to help Security Analysts.
• Auto-remediate functionality.

46. Security Dashboard

47. Use with pipeline
sast:
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json

48. Available features
• SAST
• DAST
• Dependency Scanning
• Container Scanning
• License Management
• … and more!

49. Stay safe!

50. Photo Credits
• @bichon_frise_ally
• @hongeunyeong
• @arang2o_o
• @tofupuppers

51. Security Scanning
Overview