The document discusses security testing for containerized applications. It outlines different layers of containerized apps including code, dependencies, and Docker images. It then describes various security testing techniques that can be applied to each layer, including static analysis tools for code scanning, dependency scanning, and Docker image scanning. It also covers dynamic/runtime testing using passive and active scanning with tools like OWASP Zap. The document advocates building these security tests into the CI/CD pipeline and only deploying container images that pass all tests through a process of image certification. It demonstrates some of these techniques on a sample Lolcode application.
11. What?
● Scanning static assets (e.g. source code)
● Language aware
● Different Tools for different layer
● Point where is the issue
Code
Dependencies
Docker Image
12. Code Layer
● Scan the code for vulnerabilities
● Different tools for different languages
● Bandit – Python
● Brakeman – Ruby on Rails
● Find Security Bug - Java
● TSLint - TypeScript
● OWASP Source Code Analyzers list
Code
Dependencies
Docker Image
14. Dependencies Layer
● 3rd party code used by the app
● Usually installed by a package manager
● PyPi, Gem, NuGet, NPM
● Each dependency might include known vulnerability
● OWASP Top 10 A9
● OWASP Dependency Track
Code
Dependencies
Docker Image
22. What?
● Scanning live app
● Language agnostic, protocol aware
● Only detect issues, not what cause to them
● Simple by using OWASP Zap
● Passive
● Active
● Leveraging Docker for local run
Code
Dependencies
Docker Image
23.
24.
25.
26. Passive Scan
● Proxy black box tests
● Scan HTTP requests/responses
● HTTP static analysis
● Looks for security issues
● Fast, not risky
Code
Dependencies
Docker Image
27. Active Scan
● Discover all endpoint
● Craft malicious requests
● Test that the server can handle those request
● Slow, could cause damage
Code
Dependencies
Docker Image
31. Building our CI/CD Pipeline
✓ Break the build or it didn’t happen
✓ False positives
✓ Keep it DRY
✓ Ownership
32. Image Certification
Only images that passed all the tests should be used on production
● Build dependency
● Image labels
● Image signing
● Image policy
33. What we have @ Soluto?
● Static analysis
✓ Source code scan
❑ Dependencies scan (in progress)
❑ Image scan
● Dynamic analysis
✓ Passive
❑ Active (in progress)
A real example of timing attack due to insecure equals
Something easy to miss, but easy to spot using static analysis
We had real issue at Soluto that caught by using TSLint
Show how many packages available
Say something about the rise