Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Continuous Security Testing 
In a DevOps World
About Me 
• Stephen de Vries 
– CTO ContinuumSecurity 
– 60% Security consultant 40% Developer 
– Author: BDD-Security pro...
About Me 
DevOps is a means 
Continuous Delivery / Continuous Deployment is the end 
• Don’t wait for a release before dep...
Plan/Code/Build/Test 
Continuous Delivery 
Continuous Integration 
Agile 
Int. Test QA Testing 
Continuous Deployment 
Dep...
DevOps is a tool to operate a continuous 
delivery pipeline
The DevOps challenge to security 
• Our project requirements are visible to dev and ops 
• Our build, test and deploy proc...
Traditional Security approach 
• Dead documents 
• Reliance on manual processes 
• Tools don’t fit the 
deployment pipelin...
What can security learn from DevOps? 
• Security Testing is quality testing 
• Continuous monitoring (See OWASP AppSensor)...
Security Testing > Security Scanning 
• Scanners don’t test functional security 
• Tests have an expected outcome 
• Compr...
@Test 
public void change_session_ID_after_login() { 
First attempt: 
driver.get("http://localhost:9110/ropeytasks/user/lo...
BDD-Security Testing Framework 
https://github.com/continuumsecurity/bdd-security 
• Tests written in JBehave 
• Automated...
BDD-Security example
BDD-Security Testing Framework 
• Must be able to automate manual security testing 
• Selenium + OWASP ZAP API 
• Tests mu...
Demo 
• Ropey Tasks 
• Initial configuration 
• BDD wrappers around scanning tools 
• BDD tests of functional app security...
Integration with Jenkins
Limitations 
• Email: Not implemented yet 
• Needed for self-reg 
• Account Lockout 
• Access control not Anti-CSRF aware ...
Traditional Security approach
• Self verifying requirements 
• Automated testing 
• Testing inserted into CD pipeline
Resources: 
• https://github.com/continuumsecurity 
• OWASP ZAP Pure Java client API 
• Resty-Burp RESTful API into Burp S...
Questions? 
@stephendv
Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014
Prochain SlideShare
Chargement dans…5
×

Continuous Security Testing with Devops - OWASP EU 2014

10 923 vues

Publié le

Integrating security into devops approach using BDD-Security in a CI environment.

Publié dans : Internet
  • ♣♣ 10 Easy Ways to Improve Your Performance in Bed... ▲▲▲ http://ishbv.com/rockhardx/pdf
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Hai, Thanks for sharing information. Hope this blog https://mindmajix.com/security-devops-tools may also helpful for you, Please go through it.
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Continuous Security Testing with Devops - OWASP EU 2014

  1. 1. Continuous Security Testing In a DevOps World
  2. 2. About Me • Stephen de Vries – CTO ContinuumSecurity – 60% Security consultant 40% Developer – Author: BDD-Security project
  3. 3. About Me DevOps is a means Continuous Delivery / Continuous Deployment is the end • Don’t wait for a release before deploy • Deploy individual features • Get business value to production as fast as possible
  4. 4. Plan/Code/Build/Test Continuous Delivery Continuous Integration Agile Int. Test QA Testing Continuous Deployment Deploy DevOps
  5. 5. DevOps is a tool to operate a continuous delivery pipeline
  6. 6. The DevOps challenge to security • Our project requirements are visible to dev and ops • Our build, test and deploy process is entirely automated • Developers can deploy to prod directly • We deploy to prod multiple times per day • Amazon: deploy every 11.6 seconds • Etsy: deploys 25+ times/day • Gov.uk: deploys 30 times/day How can we do this securely?
  7. 7. Traditional Security approach • Dead documents • Reliance on manual processes • Tools don’t fit the deployment pipeline • Tool results don’t translate to business requirements
  8. 8. What can security learn from DevOps? • Security Testing is quality testing • Continuous monitoring (See OWASP AppSensor) • Automated all the things
  9. 9. Security Testing > Security Scanning • Scanners don’t test functional security • Tests have an expected outcome • Comprehensive tests ARE the requirements • Tests are code: stored by SCM
  10. 10. @Test public void change_session_ID_after_login() { First attempt: driver.get("http://localhost:9110/ropeytasks/user/login"); Cookie preLoginSessionId = getSessionId("JESSSIONID"); login("bob", "password"); Cookie afterLoginSessionId = getSessionId("JESSSIONID"); assertThat(afterLoginSessionId.getValue(), not(preLoginSessionId.getValue())); } public void login(String u, String p) { driver.findElement(By.id("username")).clear(); driver.findElement(By.id("username")).sendKeys(u); driver.findElement(By.id("password")).clear(); driver.findElement(By.id("password")).sendKeys(p); driver.findElement(By.name("_action_login")).click(); } • Navigation logic is embedded in the test • Selenium does not expose HTTP • Excludes non-developers
  11. 11. BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security • Tests written in JBehave • Automated Functional Security Testing • Non-functional security testing • Wraps security tools in tests: • OWASP ZAP • Nessus • Port scanner (built in)
  12. 12. BDD-Security example
  13. 13. BDD-Security Testing Framework • Must be able to automate manual security testing • Selenium + OWASP ZAP API • Tests must be understandable by all stakeholders • Behaviour Driven Development (BDD) with JBehave • Must fit into dev workflow and continuous integration pipelines • Runs in IDE, cmd line • Runs in Jenkins • Test results in JUnit wrapper +HTML in Jenkins • The logic of the security tests should be independent from navigation code • Provide a baseline of ready-to-use security tests
  14. 14. Demo • Ropey Tasks • Initial configuration • BDD wrappers around scanning tools • BDD tests of functional app security • Automated access control tests
  15. 15. Integration with Jenkins
  16. 16. Limitations • Email: Not implemented yet • Needed for self-reg • Account Lockout • Access control not Anti-CSRF aware • Test Maintenance • Use error checking wherever possible • When extending try to find generic solution • E.g.: ISomeBehaviour
  17. 17. Traditional Security approach
  18. 18. • Self verifying requirements • Automated testing • Testing inserted into CD pipeline
  19. 19. Resources: • https://github.com/continuumsecurity • OWASP ZAP Pure Java client API • Resty-Burp RESTful API into Burp Suite • Nessus Java Client • SSLTest Java SSL analyser • Related projects: • Gauntlt BDD wrapper for sec tools: https://github.com/gauntlt/gauntlt (Ruby) • Mittn Burp Integration: https://github.com/F-Secure/mittn (Python)
  20. 20. Questions? @stephendv

×