SlideShare une entreprise Scribd logo
1  sur  22
Continuous Security Testing 
In a DevOps World
About Me 
• Stephen de Vries 
– CTO ContinuumSecurity 
– 60% Security consultant 40% Developer 
– Author: BDD-Security project
About Me 
DevOps is a means 
Continuous Delivery / Continuous Deployment is the end 
• Don’t wait for a release before deploy 
• Deploy individual features 
• Get business value to production as fast as possible
Plan/Code/Build/Test 
Continuous Delivery 
Continuous Integration 
Agile 
Int. Test QA Testing 
Continuous Deployment 
Deploy 
DevOps
DevOps is a tool to operate a continuous 
delivery pipeline
The DevOps challenge to security 
• Our project requirements are visible to dev and ops 
• Our build, test and deploy process is entirely automated 
• Developers can deploy to prod directly 
• We deploy to prod multiple times per day 
• Amazon: deploy every 11.6 seconds 
• Etsy: deploys 25+ times/day 
• Gov.uk: deploys 30 times/day 
How can we do this securely?
Traditional Security approach 
• Dead documents 
• Reliance on manual processes 
• Tools don’t fit the 
deployment pipeline 
• Tool results don’t translate to 
business requirements
What can security learn from DevOps? 
• Security Testing is quality testing 
• Continuous monitoring (See OWASP AppSensor) 
• Automated all the things
Security Testing > Security Scanning 
• Scanners don’t test functional security 
• Tests have an expected outcome 
• Comprehensive tests ARE the requirements 
• Tests are code: stored by SCM
@Test 
public void change_session_ID_after_login() { 
First attempt: 
driver.get("http://localhost:9110/ropeytasks/user/login"); 
Cookie preLoginSessionId = getSessionId("JESSSIONID"); 
login("bob", "password"); 
Cookie afterLoginSessionId = getSessionId("JESSSIONID"); 
assertThat(afterLoginSessionId.getValue(), 
not(preLoginSessionId.getValue())); 
} 
public void login(String u, String p) { 
driver.findElement(By.id("username")).clear(); 
driver.findElement(By.id("username")).sendKeys(u); 
driver.findElement(By.id("password")).clear(); 
driver.findElement(By.id("password")).sendKeys(p); 
driver.findElement(By.name("_action_login")).click(); 
} 
• Navigation logic is embedded in the test 
• Selenium does not expose HTTP 
• Excludes non-developers
BDD-Security Testing Framework 
https://github.com/continuumsecurity/bdd-security 
• Tests written in JBehave 
• Automated Functional Security Testing 
• Non-functional security testing 
• Wraps security tools in tests: 
• OWASP ZAP 
• Nessus 
• Port scanner (built in)
BDD-Security example
BDD-Security Testing Framework 
• Must be able to automate manual security testing 
• Selenium + OWASP ZAP API 
• Tests must be understandable by all stakeholders 
• Behaviour Driven Development (BDD) with JBehave 
• Must fit into dev workflow and continuous integration 
pipelines 
• Runs in IDE, cmd line 
• Runs in Jenkins 
• Test results in JUnit wrapper +HTML in Jenkins 
• The logic of the security tests should be independent from 
navigation code 
• Provide a baseline of ready-to-use security tests
Demo 
• Ropey Tasks 
• Initial configuration 
• BDD wrappers around scanning tools 
• BDD tests of functional app security 
• Automated access control tests
Integration with Jenkins
Limitations 
• Email: Not implemented yet 
• Needed for self-reg 
• Account Lockout 
• Access control not Anti-CSRF aware 
• Test Maintenance 
• Use error checking wherever possible 
• When extending try to find generic solution 
• E.g.: ISomeBehaviour
Traditional Security approach
• Self verifying requirements 
• Automated testing 
• Testing inserted into CD pipeline
Resources: 
• https://github.com/continuumsecurity 
• OWASP ZAP Pure Java client API 
• Resty-Burp RESTful API into Burp Suite 
• Nessus Java Client 
• SSLTest Java SSL analyser 
• Related projects: 
• Gauntlt BDD wrapper for sec tools: https://github.com/gauntlt/gauntlt 
(Ruby) 
• Mittn Burp Integration: https://github.com/F-Secure/mittn (Python)
Questions? 
@stephendv

Contenu connexe

Tendances

Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat ModelingStephen de Vries
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
SecDevOps - The Operationalisation of Security
SecDevOps -  The Operationalisation of SecuritySecDevOps -  The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014Puppet
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 

Tendances (20)

Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat Modeling
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
SecDevOps - The Operationalisation of Security
SecDevOps -  The Operationalisation of SecuritySecDevOps -  The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment security
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 

Similaire à Continuous Security Testing with Devops - OWASP EU 2014

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementDefconRussia
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldStephen de Vries
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程Duran Hsieh
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDeborah Schalm
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDevOps.com
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
MyHeritage - QA Automations in a Continuous Deployment environment
MyHeritage -  QA Automations in a Continuous Deployment environmentMyHeritage -  QA Automations in a Continuous Deployment environment
MyHeritage - QA Automations in a Continuous Deployment environmentMatanGoren
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 

Similaire à Continuous Security Testing with Devops - OWASP EU 2014 (20)

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops World
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
MyHeritage - QA Automations in a Continuous Deployment environment
MyHeritage -  QA Automations in a Continuous Deployment environmentMyHeritage -  QA Automations in a Continuous Deployment environment
MyHeritage - QA Automations in a Continuous Deployment environment
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 

Dernier

💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...Mumbai Escorts
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样A
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.Tortogel
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理C
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理B
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkklolsDocherty
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书Fir
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsrahman018755
 
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书gfhdsfr
 
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理Fir
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理Fir
 
一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理SDSA
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxChloeMeadows1
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appscristianmanaila2
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书rgdasda
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样asdafd
 

Dernier (20)

💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
 
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
 

Continuous Security Testing with Devops - OWASP EU 2014

  • 1. Continuous Security Testing In a DevOps World
  • 2. About Me • Stephen de Vries – CTO ContinuumSecurity – 60% Security consultant 40% Developer – Author: BDD-Security project
  • 3.
  • 4. About Me DevOps is a means Continuous Delivery / Continuous Deployment is the end • Don’t wait for a release before deploy • Deploy individual features • Get business value to production as fast as possible
  • 5. Plan/Code/Build/Test Continuous Delivery Continuous Integration Agile Int. Test QA Testing Continuous Deployment Deploy DevOps
  • 6. DevOps is a tool to operate a continuous delivery pipeline
  • 7. The DevOps challenge to security • Our project requirements are visible to dev and ops • Our build, test and deploy process is entirely automated • Developers can deploy to prod directly • We deploy to prod multiple times per day • Amazon: deploy every 11.6 seconds • Etsy: deploys 25+ times/day • Gov.uk: deploys 30 times/day How can we do this securely?
  • 8.
  • 9. Traditional Security approach • Dead documents • Reliance on manual processes • Tools don’t fit the deployment pipeline • Tool results don’t translate to business requirements
  • 10. What can security learn from DevOps? • Security Testing is quality testing • Continuous monitoring (See OWASP AppSensor) • Automated all the things
  • 11. Security Testing > Security Scanning • Scanners don’t test functional security • Tests have an expected outcome • Comprehensive tests ARE the requirements • Tests are code: stored by SCM
  • 12. @Test public void change_session_ID_after_login() { First attempt: driver.get("http://localhost:9110/ropeytasks/user/login"); Cookie preLoginSessionId = getSessionId("JESSSIONID"); login("bob", "password"); Cookie afterLoginSessionId = getSessionId("JESSSIONID"); assertThat(afterLoginSessionId.getValue(), not(preLoginSessionId.getValue())); } public void login(String u, String p) { driver.findElement(By.id("username")).clear(); driver.findElement(By.id("username")).sendKeys(u); driver.findElement(By.id("password")).clear(); driver.findElement(By.id("password")).sendKeys(p); driver.findElement(By.name("_action_login")).click(); } • Navigation logic is embedded in the test • Selenium does not expose HTTP • Excludes non-developers
  • 13. BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security • Tests written in JBehave • Automated Functional Security Testing • Non-functional security testing • Wraps security tools in tests: • OWASP ZAP • Nessus • Port scanner (built in)
  • 15. BDD-Security Testing Framework • Must be able to automate manual security testing • Selenium + OWASP ZAP API • Tests must be understandable by all stakeholders • Behaviour Driven Development (BDD) with JBehave • Must fit into dev workflow and continuous integration pipelines • Runs in IDE, cmd line • Runs in Jenkins • Test results in JUnit wrapper +HTML in Jenkins • The logic of the security tests should be independent from navigation code • Provide a baseline of ready-to-use security tests
  • 16. Demo • Ropey Tasks • Initial configuration • BDD wrappers around scanning tools • BDD tests of functional app security • Automated access control tests
  • 18. Limitations • Email: Not implemented yet • Needed for self-reg • Account Lockout • Access control not Anti-CSRF aware • Test Maintenance • Use error checking wherever possible • When extending try to find generic solution • E.g.: ISomeBehaviour
  • 20. • Self verifying requirements • Automated testing • Testing inserted into CD pipeline
  • 21. Resources: • https://github.com/continuumsecurity • OWASP ZAP Pure Java client API • Resty-Burp RESTful API into Burp Suite • Nessus Java Client • SSLTest Java SSL analyser • Related projects: • Gauntlt BDD wrapper for sec tools: https://github.com/gauntlt/gauntlt (Ruby) • Mittn Burp Integration: https://github.com/F-Secure/mittn (Python)

Notes de l'éditeur

  1. Security is playing catchup with development practices again and although there’s a lot of hype around devops, I think there’s a lot security specialists can learn from it. What I’d like to focus on is how we can leverage current tools to provide continuous security testing at devops speeds.
  2. I’d like to frame devops as a tool. So if devops is the means, then Continuous Delivery or Continuous Deployment is the end. What CD says is that instead of collecting our features into a batch release and then deploying into production.
  3. As you ramp up from just Agile to Continuous Deployment, the amount of DevOps you’re doing needs to increase. Continuous delivery goes one step further than continuous integration in that you have a deliverable product. At the end of a Continuous delivery cycle you have a shippable product that can be delivered to staging environment or to user acceptance test environment. Devops starts becoming important when you move from CI to CD, because you need to delivery a working product in a realistic environment.
  4. The continuous delivery practioners talk about a pipeline where Without tight integration and open communication between dev and ops, and without a lot of automation, it is not possible to operate a continuous delivery pipeline.
  5. Given that Dev and Ops are working together in harmony they can operate this pipeline and deploy to production multiple times per day.
  6. The answer of a traditional security team, would be more along the lines of a continuous annoyment model. Answering no to everything: You can’t have automated security tests at the frequency you want And you definitely can’t deploy without a pentest
  7. If we want to fit security into a devops process we don’t have to start from scratch. Security is not special. I’d go as far as saying that software security should really be treated as a type of QA. And those tests should include security testing.
  8. And when I say security testing, I’m talking about more than just automated scanning. Sure you need to use the static and dynamic analysers to find security bugs.
  9. Junit and Selenium.
  10. Taking these testing principals that are already used to test other aspects of software and putting them to use for security was the reason for the BDD-Security project.
  11. This specification is executable.
  12. Show ropeytasks Config file Show app_scan story change Medium to Low, create navigate method with selenium IDE. Show authentication stories, implement interfaces and run. They’re primarily functional Show nessus_scan story Better consistency than a manual process because the story is just a file, so version control Automated Access control tests by using three variables: the authorised user, the actions to get to a restricted page, and the sensitiveData that’s contained on that page. Explain @Restricted and the two authorisation tables that can be created. Implement viewBobsProfile Then show authorisation story
  13. Because the framework is based on other standard technologies, it integrates quite easily with jenkins