SlideShare une entreprise Scribd logo

Ruby on Rails security in your Continuous Integration

Sqreen
Sqreen
SqreenSqreen

Sqreen (https://www.sqreen.io) describes how open-source public tools can help improve your software security in your Continuous Integration cycle. This presentation focus on Ruby on Rails and uses open source Ruby gems as well as Jenkins, an open source CI tool. Two tools are presented. Arachni (https://github.com/Arachni/arachni) is a dynamic security analysis tool. It need some special scripting to get integrated to Jenkins (ask me!). Brakeman (https://github.com/presidentbeef/brakeman), a static analysis tool, targets Ruby on Rails applications source code. It can be easily integrated to Jenkins thanks to an existing plug-in. This method can make the reports hard to understand and process systematically in a CI work flow. Jean-Baptiste Aviat, Sqreen CTO

Ruby on Rails security in your Continuous Integration

1  sur  17
Télécharger pour lire hors ligne
Confidential & proprietary © Sqreen, 2015
Rails Security Continuous Integration
We make products antifragile.
Confidential & proprietary © Sqreen, 2015
Jean-Baptiste Aviat
Sqreen CTO (https://sqreen.io)
Former Apple software security engineer
Former white hat hacker
Twitter: @JbAviat
Email: jb@sqreen.io
Confidential & proprietary © Sqreen, 2015
–Agent Smith
“Never send a human to
do a machine's job.”
Confidential & proprietary © Sqreen, 2015
Continuous Integration
Quality: automate everything you can
Unit tests at every commit
Integration tests at every commit
Test against a production like stack
Maximize confidence for every commit
Confidential & proprietary © Sqreen, 2015
–Edsger W. Dijkstra
“Testing shows the presence,
not the absence of bugs.”
Confidential & proprietary © Sqreen, 2015
Static & Dynamic analysis

Recommandé

Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking InGuy Podjarny
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 

Contenu connexe

Tendances

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure Cisco DevNet
 
Security in OSS DevOps
Security in OSS DevOpsSecurity in OSS DevOps
Security in OSS DevOpsCheah Eng Soon
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerZend by Rogue Wave Software
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Using Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroUsing Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroAmazon Web Services
 
Using Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroUsing Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroAmazon Web Services
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgNils Meder
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleJürgen Etzlstorfer
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as CodePrasant Kumar
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackLacework
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)Radu Vunvulea
 

Tendances (20)

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Mitigate Security Threats with SIEM
Mitigate Security Threats with SIEMMitigate Security Threats with SIEM
Mitigate Security Threats with SIEM
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure
 
Security in OSS DevOps
Security in OSS DevOpsSecurity in OSS DevOps
Security in OSS DevOps
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend Server
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Using Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroUsing Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend Micro
 
Using Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroUsing Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend Micro
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Set up a Development Environment in 5 Minutes
Set up a Development Environment in 5 MinutesSet up a Development Environment in 5 Minutes
Set up a Development Environment in 5 Minutes
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering Hamburg
 
Manage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with TerraformManage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with Terraform
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & Ansible
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
 
Ignite Denver - Robots!
Ignite Denver - Robots!Ignite Denver - Robots!
Ignite Denver - Robots!
 

En vedette

From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensWe Are Social Singapore
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenecEugene Cheng
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)Board of Innovation
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsXPLAIN
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideCrispy Presentations
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)Steven Hoober
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy
 
What 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureWhat 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureReferralCandy
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing FailsRand Fishkin
 
The History of SEO
The History of SEOThe History of SEO
The History of SEOHubSpot
 
How To (Really) Get Into Marketing
How To (Really) Get Into MarketingHow To (Really) Get Into Marketing
How To (Really) Get Into MarketingEd Fry
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignMotivate Design
 
10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next PresentationSOAP Presentations
 
Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Velocity Partners
 

En vedette (20)

How to-use-buffer-by-ella
How to-use-buffer-by-ellaHow to-use-buffer-by-ella
How to-use-buffer-by-ella
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
SteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch DeckSteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch Deck
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media Sins
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same Slide
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
 
What 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureWhat 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From Failure
 
Design Your Career 2018
Design Your Career 2018Design Your Career 2018
Design Your Career 2018
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
 
The History of SEO
The History of SEOThe History of SEO
The History of SEO
 
How To (Really) Get Into Marketing
How To (Really) Get Into MarketingHow To (Really) Get Into Marketing
How To (Really) Get Into Marketing
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
 
Displaying Data
Displaying DataDisplaying Data
Displaying Data
 
10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation
 
Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.
 

Similaire à Ruby on Rails security in your Continuous Integration

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsJohn Varghese
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporeAmazon Web Services
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat
 

Similaire à Ruby on Rails security in your Continuous Integration (20)

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
 
Continuous security
Continuous securityContinuous security
Continuous security
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based Applications
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API's
 

Dernier

unit I lecture 5 - Software Development Life Cycle.pdf
unit I lecture 5 - Software Development Life Cycle.pdfunit I lecture 5 - Software Development Life Cycle.pdf
unit I lecture 5 - Software Development Life Cycle.pdfStephenTec
 
unit I lecture 2 - Software Engineering Ethics - Software Process.pdf
unit I lecture 2 - Software Engineering Ethics - Software Process.pdfunit I lecture 2 - Software Engineering Ethics - Software Process.pdf
unit I lecture 2 - Software Engineering Ethics - Software Process.pdfStephenTec
 
Les02 Restricting and Sorting Data using SQL.ppt
Les02 Restricting and Sorting Data using SQL.pptLes02 Restricting and Sorting Data using SQL.ppt
Les02 Restricting and Sorting Data using SQL.pptDrZeeshanBhatti
 
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdf
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdfunit 1 lecture 1 - Introduction - Software Engineering Myths.pdf
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdfStephenTec
 
Steps to Build a PWA with Odoo.pdf
Steps to Build a PWA with Odoo.pdfSteps to Build a PWA with Odoo.pdf
Steps to Build a PWA with Odoo.pdfayushinwizards
 
Manual de la Mezcladora SoundCraft Notepad -12Fx
Manual de la Mezcladora SoundCraft Notepad -12FxManual de la Mezcladora SoundCraft Notepad -12Fx
Manual de la Mezcladora SoundCraft Notepad -12Fxjavierdavidvelasco17
 
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAutokey
 
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdf
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdfIndia's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdf
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdfgranitesrijan
 
Self scaling Multi cloud nomad workloads
Self scaling Multi cloud nomad workloadsSelf scaling Multi cloud nomad workloads
Self scaling Multi cloud nomad workloadsBram Vogelaar
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxmavinoikein
 
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdf
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdfunit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdf
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdfStephenTec
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsssuser82c38d
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Asher Sterkin
 
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTSi-engage
 
App Builder - Hierarchical Data Apps.pptx
App Builder - Hierarchical Data Apps.pptxApp Builder - Hierarchical Data Apps.pptx
App Builder - Hierarchical Data Apps.pptxPoojitha B
 
unit I lecture 3 - Software Process Models.pdf
unit I lecture 3 - Software Process Models.pdfunit I lecture 3 - Software Process Models.pdf
unit I lecture 3 - Software Process Models.pdfStephenTec
 
Sql server types of joins with example.pptx
Sql server types of joins with example.pptxSql server types of joins with example.pptx
Sql server types of joins with example.pptxsameer gaikwad
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...confluent
 
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementEmbracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementOnePlan Solutions
 

Dernier (20)

unit I lecture 5 - Software Development Life Cycle.pdf
unit I lecture 5 - Software Development Life Cycle.pdfunit I lecture 5 - Software Development Life Cycle.pdf
unit I lecture 5 - Software Development Life Cycle.pdf
 
unit I lecture 2 - Software Engineering Ethics - Software Process.pdf
unit I lecture 2 - Software Engineering Ethics - Software Process.pdfunit I lecture 2 - Software Engineering Ethics - Software Process.pdf
unit I lecture 2 - Software Engineering Ethics - Software Process.pdf
 
Les02 Restricting and Sorting Data using SQL.ppt
Les02 Restricting and Sorting Data using SQL.pptLes02 Restricting and Sorting Data using SQL.ppt
Les02 Restricting and Sorting Data using SQL.ppt
 
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdf
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdfunit 1 lecture 1 - Introduction - Software Engineering Myths.pdf
unit 1 lecture 1 - Introduction - Software Engineering Myths.pdf
 
Steps to Build a PWA with Odoo.pdf
Steps to Build a PWA with Odoo.pdfSteps to Build a PWA with Odoo.pdf
Steps to Build a PWA with Odoo.pdf
 
Manual de la Mezcladora SoundCraft Notepad -12Fx
Manual de la Mezcladora SoundCraft Notepad -12FxManual de la Mezcladora SoundCraft Notepad -12Fx
Manual de la Mezcladora SoundCraft Notepad -12Fx
 
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
 
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdf
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdfIndia's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdf
India's_Generative_AI_Startup_Landscape_Report_2023_Inc42 (1).pdf
 
Self scaling Multi cloud nomad workloads
Self scaling Multi cloud nomad workloadsSelf scaling Multi cloud nomad workloads
Self scaling Multi cloud nomad workloads
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptx
 
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdf
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdfunit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdf
unit I lecture 4 - AGILE DEVELOPMENT AND PLAN-DRIVEN.pdf
 
Features of IETM Software -Code and Pixels
Features of IETM Software -Code and PixelsFeatures of IETM Software -Code and Pixels
Features of IETM Software -Code and Pixels
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp students
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024
 
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
 
App Builder - Hierarchical Data Apps.pptx
App Builder - Hierarchical Data Apps.pptxApp Builder - Hierarchical Data Apps.pptx
App Builder - Hierarchical Data Apps.pptx
 
unit I lecture 3 - Software Process Models.pdf
unit I lecture 3 - Software Process Models.pdfunit I lecture 3 - Software Process Models.pdf
unit I lecture 3 - Software Process Models.pdf
 
Sql server types of joins with example.pptx
Sql server types of joins with example.pptxSql server types of joins with example.pptx
Sql server types of joins with example.pptx
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
 
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementEmbracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
 

Ruby on Rails security in your Continuous Integration

  • 1. Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
  • 2. Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
  • 3. Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
  • 4. Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
  • 5. Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
  • 6. Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
  • 7. Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
  • 8. Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
  • 9. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
  • 10. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
  • 11. Confidential & proprietary © Sqreen, 2015 Demo
  • 12. Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
  • 13. Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
  • 14. Confidential & proprietary © Sqreen, 2015 Arachne scan result
  • 15. Confidential & proprietary © Sqreen, 2015 Arachne issue details
  • 16. Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
  • 17. Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html