SlideShare a Scribd company logo

Testing at-cloud-speed sans-app-sec-austin-2013

Download as ODP, PDF
M
Matt Tesauro
1 of 33
Testing at Cloud Speed Matt Tesauro, SANS AppSec 2013 – Austin, TX, April 2013
RACKSPACE® HOSTING | WWW.RACKSPACE.COM Who am i? Matt Tesauro – Cloud Application Security Guy + OWASP 2 matt.tesauro@rackspace.com matt.tesauro@owasp.org Racker since October 2011 Rackspace’s Product Security Group Product Security Engineering Lead Work with developers and QE Former OWASP International Foundation Board Member and Treasurer Project Leader of OWASP Live CD / OWASP WTE OWASP OpenStack Security Project
RACKSPACE® HOSTING | WWW.RACKSPACE.COM ABOUT RACKSPACE 205,000+ CUSTOMERS 90,000+ SERVERS 26,000+ VM ≅70 PB STORED 4,800+ RACKERS 9 WORLDWIDE DATA CENTERS GLOBAL FOOTPRINT CUSTOMERS IN 120+ COUNTRIES 60% FORTUNE® 100 OF THE WE SERVE Annualized Revenue OVER $1B PORTFOLIO OF HOSTED SOLUTIONS Dedicated - Cloud - Hybrid Leader in Gartner ‘s Magic Quadrant for Managed Hosting Founder OpenStack® Community 3 Named a Top Performer for Hosted Private Cloud by Forrester Research Inc. in “The Forrester Wave™: Q1 2013
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4 SECURING APPS IN A DevOps WORLD
RACKSPACE® HOSTING | WWW.RACKSPACE.COM A quick Overview of DevOps • The combination of traditional development activities with operations and testing (QA/QE) • Collaboration, communication and integration is key • Agile development model (sprints, scrum, …) • Release coordination and automation 5 "DevOps" is an emerging set of principles, methods and practices for communication, collaboration and integration between software development (application/software engineering) and IT operations (systems administration/infrastructure) professionals.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM CI, CD, CD, TDD and API CI == Continuous Integration CD == Continuous Deployment CD == Continuous Delivery TDD == Test Driven Development API == Application Programming Interface 6
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 7 • Cycle time for software is getting shorter • Continuous delivery is a goal • Scanning windows are not viable • First mover / first to market advantage THE PROBLEM 7
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 8 THE PROBLEM – or at least more • Traditional software development left little time to test • DevOps, Agile and Continuous Delivery squeeze those windows even more • New languages and programming methods aren’t making this better • Growth of interpreted languages with loose typing hurts static analysis efforts • Few automated tools to test APIs especially RESTful APIs • Little time for any testing, manual testing is doomed
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 9 • Automated software testing • Automated operational infrastructure • Automated security testing THE SOLUTION 9
RACKSPACE® HOSTING | WWW.RACKSPACE.COM Think like a developer Sprints break software into little pieces… • Break your testing into little pieces • Use your threat model to know the crucial bits to test 10 Long and short running tests • Testing time drives testing frequency • Code for tests needs to be optimized Smoke test versus full regression test • Smoke test early and often • Full regression tests on regular intervals
RACKSPACE® HOSTING | WWW.RACKSPACE.COM Maximize what you’ve got Make the most of your frameworks •Embrace, understand and fill gaps where necessary 11 Make the best use of your time… • Make tests easily repeatable • Make tests easy to understand • Make tests abstract and combine-able • Ala carte tests for mixing and matching • Think about the Unix pipe | and its power
RACKSPACE® HOSTING | WWW.RACKSPACE.COM Under the constraints of DevOps, Continuous Deployment 12 Your testing has to be nimble Dare I say…Agile In TDD, you know your code works when the tests pass In TD(S), you know your app has met the baseline when the tests pass
RACKSPACE® HOSTING | WWW.RACKSPACE.COM Its time to set the snail on fire! 13 ➔ Infrastructure ➔ App / API ➔ Code
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 14 Securing Infrastructure
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 15 Automating Infrastructure 15 • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 16 Chef 16 1. Solo 2. Server 3. Hosted 4. Private Hosted Node Node Node Node Node Node Node Node Node Node Node Node Node Node Node Sys Admin Server / Hosted / Private
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 17 Cookbooks 17 • Most major software packages have cookbooks • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra points.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 18 Grouping & Tagging 18 • Tagging your servers applies the required set of recipes • A base set of recipes is common • Each server will have multiple tags set at bootstrap time Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 19 Inspector – you need one 19 • For each group and/or tag • Review the recipe • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security -Scalability -Compliance
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 20 Agent – one mole to rule them all 20 • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 21 Turn Vuln scanning on its head 21 • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 22 Securing Apps & APIs
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 23 Findings directly to bug trackers 23 • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog • Occasional security sprints • Learn how the team treats issues
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 24 For the reticent: nag, nag, nag 24 • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 25 Reports = Findings + Automation 25 • Consider markup for findings • Markdown, Wiki Text, asciidoc • Pandoc to convert to whatever • HTML, PDF, .doc, .odt, ... • Keep testers writing the least possible • Template and re-use boiler plate items • New finding == new template for next time • Web app to keep things consistent • Create your own or maybe Dradis
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 26 Leverage existing consistencies 26 • Requires consistent (generally automated) input • Find these and write some scripts • Automate the drudgery • Examples: • Automate finding/bug submission • Automate report PDF generation • API documentation to basic testing harness
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 27 Securing Code
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 28 Start with the developers 28 • Finding details have to be detailed enough to: • Reproduce the issue after 6 months • Allow QE to test the issue • Allow developers to find/fix the issue • Consider quick and dirty scripts to reproduce issue • Script to abuse an API • Web page of reflective XSS findings • Once findings start flowing, look for training requests
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 29 Cherry pick what you look at 29 • Threat Models are your friends • Focus on weak, unclear or suspicious areas • Focus on connections with external systems • Focus on format translations (XML to JSON) • When code changes in those areas, • Red flag it for review • Change +2 to +3 to before accepting pull request • Use search features in source code management • Start a list of problematic methods, calls, etc
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 30 No False Positives, period 30 • If you can automate code review, you still must triage • 1 false positive == 100 valid bugs • If results aren't actionable, fail • Stick to diff analysis • Threat Modeling + “Scary Parts” + Code diffs == Quick triage of code changes • Automate where you can, iterate until you're happy • Need to build cred points with the dev teams
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 31 Quiet is better then wrong 31 • Hire or befriend developers • Need to speak their language, not security's • Suggest requirements not implementation • Mitigation suggestions either generic or in the language the app is written in • Remember: Fast deploys also means fast fixes • Trying to shrink any vuln window not eliminate • Be prepared to retest / verify fix quickly
RACKSPACE® HOSTING | WWW.RACKSPACE.COM So I was talking with a friend… He was bemoaning the pace of change and the speed at which software was being pushed to production… 32 In essence, management has made the decision that getting their app out the door with possible bugs is more valuable to the business then having strong assurance that the software has few or no significant bugs. You’ve got to up your game, get automated, agile and get on pace with your developers.
33 RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM ANY QUESTIONS? Slides on slideshare – look for user “mtesauro”

Recommended

Open source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packagesOpen source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packages
Rogue Wave Software
 
Open source applied: Real-world uses
Open source applied: Real-world usesOpen source applied: Real-world uses
Open source applied: Real-world uses
Rogue Wave Software
 
Webinar slides: Replication Topology Changes for MySQL and MariaDB
Webinar slides: Replication Topology Changes for MySQL and MariaDBWebinar slides: Replication Topology Changes for MySQL and MariaDB
Webinar slides: Replication Topology Changes for MySQL and MariaDB
Severalnines
 
Accelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexAccelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flex
Perforce
 
... No it's Apache Kafka!
... No it's Apache Kafka!... No it's Apache Kafka!
... No it's Apache Kafka!
makker_nl
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
confluent
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce
 

Recommended

Open source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packagesOpen source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packages
Rogue Wave Software
 
Open source applied: Real-world uses
Open source applied: Real-world usesOpen source applied: Real-world uses
Open source applied: Real-world uses
Rogue Wave Software
 
Webinar slides: Replication Topology Changes for MySQL and MariaDB
Webinar slides: Replication Topology Changes for MySQL and MariaDBWebinar slides: Replication Topology Changes for MySQL and MariaDB
Webinar slides: Replication Topology Changes for MySQL and MariaDB
Severalnines
 
Accelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexAccelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flex
Perforce
 
... No it's Apache Kafka!
... No it's Apache Kafka!... No it's Apache Kafka!
... No it's Apache Kafka!
makker_nl
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
The Good, The Bad, and The Avro (Graham Stirling, Saxo Bank and David Navalho...
confluent
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce
 
URP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to KnowURP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to Know
Todd Palino
 
Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416
OpenStack Foundation
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
Kellyn Pot'Vin-Gorman
 
Heroku for team collaboration
Heroku for team collaborationHeroku for team collaboration
Heroku for team collaboration
John Stevenson
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
Joe Stein
 
ThoughtWorks Technology Radar Roadshow - Melbourne
ThoughtWorks Technology Radar Roadshow - MelbourneThoughtWorks Technology Radar Roadshow - Melbourne
ThoughtWorks Technology Radar Roadshow - Melbourne
Thoughtworks
 
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Thoughtworks
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Martin Spier
 
Always On - Zero Downtime releases
Always On - Zero Downtime releasesAlways On - Zero Downtime releases
Always On - Zero Downtime releases
Anders Lundsgård
 
What Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registriesWhat Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registries
Alexander Dean
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
CloudPassage
 
Adopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group PretoriaAdopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group Pretoria
Vadym Kazulkin
 
Outsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignOutsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based Design
Perforce
 
How to Combine Artifacts and Source in a Single Server
How to Combine Artifacts and Source in a Single ServerHow to Combine Artifacts and Source in a Single Server
How to Combine Artifacts and Source in a Single Server
Perforce
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and Tricks
Kellyn Pot'Vin-Gorman
 
How to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesHow to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse Branches
Perforce
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
Perforce
 
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Vadym Kazulkin
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
Eklove Mohan
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
Matt Tesauro
 

More Related Content

What's hot

URP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to KnowURP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to Know
Todd Palino
 
Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416
OpenStack Foundation
 
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Thoughtworks
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Martin Spier
 
What Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registriesWhat Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registries
Alexander Dean
 
Adopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group PretoriaAdopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group Pretoria
Vadym Kazulkin
 

What's hot (20)

URP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to KnowURP? Excuse You! The Three Kafka Metrics You Need to Know
URP? Excuse You! The Three Kafka Metrics You Need to Know
 
Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416Lopez deploying openstacktrunk_20130416
Lopez deploying openstacktrunk_20130416
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
 
Heroku for team collaboration
Heroku for team collaborationHeroku for team collaboration
Heroku for team collaboration
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
ThoughtWorks Technology Radar Roadshow - Melbourne
ThoughtWorks Technology Radar Roadshow - MelbourneThoughtWorks Technology Radar Roadshow - Melbourne
ThoughtWorks Technology Radar Roadshow - Melbourne
 
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
Big data pipeline with scala by Rohit Rai, Tuplejump - presented at Pune Scal...
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
 
Always On - Zero Downtime releases
Always On - Zero Downtime releasesAlways On - Zero Downtime releases
Always On - Zero Downtime releases
 
What Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registriesWhat Crimean War gunboats teach us about the need for schema registries
What Crimean War gunboats teach us about the need for schema registries
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 
Adopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group PretoriaAdopting Java for the Serverless world at AWS User Group Pretoria
Adopting Java for the Serverless world at AWS User Group Pretoria
 
Outsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignOutsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based Design
 
How to Combine Artifacts and Source in a Single Server
How to Combine Artifacts and Source in a Single ServerHow to Combine Artifacts and Source in a Single Server
How to Combine Artifacts and Source in a Single Server
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and Tricks
 
How to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesHow to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse Branches
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 

Viewers also liked

DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
Matt Tesauro
 
Chapter 19 - The Growth Of Industry
Chapter 19 - The Growth Of IndustryChapter 19 - The Growth Of Industry
Chapter 19 - The Growth Of Industry
Ryan Gill
 
Chapter 20 - Towards An Urban America
Chapter 20 - Towards An Urban AmericaChapter 20 - Towards An Urban America
Chapter 20 - Towards An Urban America
Ryan Gill
 
Chapter 17 - Reconstruction
Chapter 17 - ReconstructionChapter 17 - Reconstruction
Chapter 17 - Reconstruction
Ryan Gill
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Chapter 18 - The Western Frontier
Chapter 18 - The Western FrontierChapter 18 - The Western Frontier
Chapter 18 - The Western Frontier
Ryan Gill
 

Viewers also liked (18)

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Chapter 19 - The Growth Of Industry
Chapter 19 - The Growth Of IndustryChapter 19 - The Growth Of Industry
Chapter 19 - The Growth Of Industry
 
Chapter 20 - Towards An Urban America
Chapter 20 - Towards An Urban AmericaChapter 20 - Towards An Urban America
Chapter 20 - Towards An Urban America
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
TICS
TICSTICS
TICS
 
Chapter 17 - Reconstruction
Chapter 17 - ReconstructionChapter 17 - Reconstruction
Chapter 17 - Reconstruction
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Chapter 18 - The Western Frontier
Chapter 18 - The Western FrontierChapter 18 - The Western Frontier
Chapter 18 - The Western Frontier
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 

Similar to Testing at-cloud-speed sans-app-sec-austin-2013

Build Your Custom Performance Testing Framework
Build Your Custom Performance Testing FrameworkBuild Your Custom Performance Testing Framework
Build Your Custom Performance Testing Framework
TechWell
 
jclouds Support Training
jclouds Support Trainingjclouds Support Training
jclouds Support Training
Everett Toews
 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI API
VictorSzoltysek
 
Behind the Curtain: Operating an OpenStack Powered Private Cloud
Behind the Curtain: Operating an OpenStack Powered Private CloudBehind the Curtain: Operating an OpenStack Powered Private Cloud
Behind the Curtain: Operating an OpenStack Powered Private Cloud
Niki Acosta
 
The Value of Certified AWS Experts to Your Business
The Value of Certified AWS Experts to Your BusinessThe Value of Certified AWS Experts to Your Business
The Value of Certified AWS Experts to Your Business
Amazon Web Services
 
Rackspace Private Cloud presentation for ChefConf 2013
Rackspace Private Cloud presentation for ChefConf 2013Rackspace Private Cloud presentation for ChefConf 2013
Rackspace Private Cloud presentation for ChefConf 2013
Joe Breu
 
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
ScyllaDB
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace
 
Software Development kits
Software Development kitsSoftware Development kits
Software Development kits
Everett Toews
 

Similar to Testing at-cloud-speed sans-app-sec-austin-2013 (20)

High Performance Object Pascal Code on Servers (at EKON 22)
High Performance Object Pascal Code on Servers (at EKON 22)High Performance Object Pascal Code on Servers (at EKON 22)
High Performance Object Pascal Code on Servers (at EKON 22)
 
Operating OpenStack - Case Study in the Rackspace Cloud
Operating OpenStack - Case Study in the Rackspace CloudOperating OpenStack - Case Study in the Rackspace Cloud
Operating OpenStack - Case Study in the Rackspace Cloud
 
DeveloperWeek 2014
DeveloperWeek 2014DeveloperWeek 2014
DeveloperWeek 2014
 
Build Your Custom Performance Testing Framework
Build Your Custom Performance Testing FrameworkBuild Your Custom Performance Testing Framework
Build Your Custom Performance Testing Framework
 
Lessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack CloudsLessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack Clouds
 
jclouds Support Training
jclouds Support Trainingjclouds Support Training
jclouds Support Training
 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI API
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for Government
 
Behind the Curtain: Operating an OpenStack Powered Private Cloud
Behind the Curtain: Operating an OpenStack Powered Private CloudBehind the Curtain: Operating an OpenStack Powered Private Cloud
Behind the Curtain: Operating an OpenStack Powered Private Cloud
 
Midwest PHP - Scaling Magento
Midwest PHP - Scaling MagentoMidwest PHP - Scaling Magento
Midwest PHP - Scaling Magento
 
The Value of Certified AWS Experts to Your Business
The Value of Certified AWS Experts to Your BusinessThe Value of Certified AWS Experts to Your Business
The Value of Certified AWS Experts to Your Business
 
Rackspace Best Practices for DevOps on AWS
Rackspace Best Practices for DevOps on AWSRackspace Best Practices for DevOps on AWS
Rackspace Best Practices for DevOps on AWS
 
從劍宗到氣宗 - 談AWS ECS與Serverless最佳實踐
從劍宗到氣宗 - 談AWS ECS與Serverless最佳實踐從劍宗到氣宗 - 談AWS ECS與Serverless最佳實踐
從劍宗到氣宗 - 談AWS ECS與Serverless最佳實踐
 
Cloud Native Application Development
Cloud Native Application DevelopmentCloud Native Application Development
Cloud Native Application Development
 
Rackspace Private Cloud presentation for ChefConf 2013
Rackspace Private Cloud presentation for ChefConf 2013Rackspace Private Cloud presentation for ChefConf 2013
Rackspace Private Cloud presentation for ChefConf 2013
 
Application Lifecycle Management on AWS
Application Lifecycle Management on AWSApplication Lifecycle Management on AWS
Application Lifecycle Management on AWS
 
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
Scylla Summit 2022: Learning Rust the Hard Way for a Production Kafka+ScyllaD...
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
 
Software Development kits
Software Development kitsSoftware Development kits
Software Development kits
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 

More from Matt Tesauro (15)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 

Testing at-cloud-speed sans-app-sec-austin-2013

  • 1. Testing at Cloud Speed Matt Tesauro, SANS AppSec 2013 – Austin, TX, April 2013
  • 2. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Who am i? Matt Tesauro – Cloud Application Security Guy + OWASP 2 matt.tesauro@rackspace.com matt.tesauro@owasp.org Racker since October 2011 Rackspace’s Product Security Group Product Security Engineering Lead Work with developers and QE Former OWASP International Foundation Board Member and Treasurer Project Leader of OWASP Live CD / OWASP WTE OWASP OpenStack Security Project
  • 3. RACKSPACE® HOSTING | WWW.RACKSPACE.COM ABOUT RACKSPACE 205,000+ CUSTOMERS 90,000+ SERVERS 26,000+ VM ≅70 PB STORED 4,800+ RACKERS 9 WORLDWIDE DATA CENTERS GLOBAL FOOTPRINT CUSTOMERS IN 120+ COUNTRIES 60% FORTUNE® 100 OF THE WE SERVE Annualized Revenue OVER $1B PORTFOLIO OF HOSTED SOLUTIONS Dedicated - Cloud - Hybrid Leader in Gartner ‘s Magic Quadrant for Managed Hosting Founder OpenStack® Community 3 Named a Top Performer for Hosted Private Cloud by Forrester Research Inc. in “The Forrester Wave™: Q1 2013
  • 4. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4 SECURING APPS IN A DevOps WORLD
  • 5. RACKSPACE® HOSTING | WWW.RACKSPACE.COM A quick Overview of DevOps • The combination of traditional development activities with operations and testing (QA/QE) • Collaboration, communication and integration is key • Agile development model (sprints, scrum, …) • Release coordination and automation 5 "DevOps" is an emerging set of principles, methods and practices for communication, collaboration and integration between software development (application/software engineering) and IT operations (systems administration/infrastructure) professionals.
  • 6. RACKSPACE® HOSTING | WWW.RACKSPACE.COM CI, CD, CD, TDD and API CI == Continuous Integration CD == Continuous Deployment CD == Continuous Delivery TDD == Test Driven Development API == Application Programming Interface 6
  • 7. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 7 • Cycle time for software is getting shorter • Continuous delivery is a goal • Scanning windows are not viable • First mover / first to market advantage THE PROBLEM 7
  • 8. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 8 THE PROBLEM – or at least more • Traditional software development left little time to test • DevOps, Agile and Continuous Delivery squeeze those windows even more • New languages and programming methods aren’t making this better • Growth of interpreted languages with loose typing hurts static analysis efforts • Few automated tools to test APIs especially RESTful APIs • Little time for any testing, manual testing is doomed
  • 9. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 9 • Automated software testing • Automated operational infrastructure • Automated security testing THE SOLUTION 9
  • 10. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Think like a developer Sprints break software into little pieces… • Break your testing into little pieces • Use your threat model to know the crucial bits to test 10 Long and short running tests • Testing time drives testing frequency • Code for tests needs to be optimized Smoke test versus full regression test • Smoke test early and often • Full regression tests on regular intervals
  • 11. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Maximize what you’ve got Make the most of your frameworks •Embrace, understand and fill gaps where necessary 11 Make the best use of your time… • Make tests easily repeatable • Make tests easy to understand • Make tests abstract and combine-able • Ala carte tests for mixing and matching • Think about the Unix pipe | and its power
  • 12. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Under the constraints of DevOps, Continuous Deployment 12 Your testing has to be nimble Dare I say…Agile In TDD, you know your code works when the tests pass In TD(S), you know your app has met the baseline when the tests pass
  • 13. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Its time to set the snail on fire! 13 ➔ Infrastructure ➔ App / API ➔ Code
  • 14. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 14 Securing Infrastructure
  • 15. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 15 Automating Infrastructure 15 • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
  • 16. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 16 Chef 16 1. Solo 2. Server 3. Hosted 4. Private Hosted Node Node Node Node Node Node Node Node Node Node Node Node Node Node Node Sys Admin Server / Hosted / Private
  • 17. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 17 Cookbooks 17 • Most major software packages have cookbooks • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra points.
  • 18. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 18 Grouping & Tagging 18 • Tagging your servers applies the required set of recipes • A base set of recipes is common • Each server will have multiple tags set at bootstrap time Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache
  • 19. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 19 Inspector – you need one 19 • For each group and/or tag • Review the recipe • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security -Scalability -Compliance
  • 20. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 20 Agent – one mole to rule them all 20 • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor
  • 21. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 21 Turn Vuln scanning on its head 21 • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 22. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 22 Securing Apps & APIs
  • 23. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 23 Findings directly to bug trackers 23 • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog • Occasional security sprints • Learn how the team treats issues
  • 24. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 24 For the reticent: nag, nag, nag 24 • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
  • 25. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 25 Reports = Findings + Automation 25 • Consider markup for findings • Markdown, Wiki Text, asciidoc • Pandoc to convert to whatever • HTML, PDF, .doc, .odt, ... • Keep testers writing the least possible • Template and re-use boiler plate items • New finding == new template for next time • Web app to keep things consistent • Create your own or maybe Dradis
  • 26. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 26 Leverage existing consistencies 26 • Requires consistent (generally automated) input • Find these and write some scripts • Automate the drudgery • Examples: • Automate finding/bug submission • Automate report PDF generation • API documentation to basic testing harness
  • 27. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 27 Securing Code
  • 28. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 28 Start with the developers 28 • Finding details have to be detailed enough to: • Reproduce the issue after 6 months • Allow QE to test the issue • Allow developers to find/fix the issue • Consider quick and dirty scripts to reproduce issue • Script to abuse an API • Web page of reflective XSS findings • Once findings start flowing, look for training requests
  • 29. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 29 Cherry pick what you look at 29 • Threat Models are your friends • Focus on weak, unclear or suspicious areas • Focus on connections with external systems • Focus on format translations (XML to JSON) • When code changes in those areas, • Red flag it for review • Change +2 to +3 to before accepting pull request • Use search features in source code management • Start a list of problematic methods, calls, etc
  • 30. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 30 No False Positives, period 30 • If you can automate code review, you still must triage • 1 false positive == 100 valid bugs • If results aren't actionable, fail • Stick to diff analysis • Threat Modeling + “Scary Parts” + Code diffs == Quick triage of code changes • Automate where you can, iterate until you're happy • Need to build cred points with the dev teams
  • 31. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 31 Quiet is better then wrong 31 • Hire or befriend developers • Need to speak their language, not security's • Suggest requirements not implementation • Mitigation suggestions either generic or in the language the app is written in • Remember: Fast deploys also means fast fixes • Trying to shrink any vuln window not eliminate • Be prepared to retest / verify fix quickly
  • 32. RACKSPACE® HOSTING | WWW.RACKSPACE.COM So I was talking with a friend… He was bemoaning the pace of change and the speed at which software was being pushed to production… 32 In essence, management has made the decision that getting their app out the door with possible bugs is more valuable to the business then having strong assurance that the software has few or no significant bugs. You’ve got to up your game, get automated, agile and get on pace with your developers.
  • 33. 33 RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM ANY QUESTIONS? Slides on slideshare – look for user “mtesauro”

Editor's Notes

  1. The purpose of this slide is to illustrate both the scale and scope of Rackspace in terms of the customers we serve and services we provide. Rackspace Hosting From both a Racker perspective and customer base perspective, we have seen dramatic growth. Our clients include more than 60% of the Fortune® 100. Today we have more than 190,000 customers in 120 countries. From a scope perspective, we have 8 DC’s serving our WW customer base and a broad portfolio of Cloud offerings….which is very important as it allows customers to mix and match our infrastructure to best suite the needs of their application. It drives flexibility. One of the achievements that we are most proud of is that Rackspace Hosting has been recognized by Fortune as one of the 100 best places to work not only in the United States, but in EMEA as well. People really like working here. What that means to customers is that we have a growing, stable workforce that is carefully selected not only for technical skills but also for how much each employee enjoys delivering exceptional service, and how well they match our culture and core values. OUR CULTURE AND THE EXCEPTIONAL SERVICE THAT WE BRAND AS FANATICAL SUPPORT MAKE THE DIFFERENCE BETWEEN GROWING AT, SAY, 5% A YEAR AND GROWING AT THE MUCH FASTER RATE THAT OUR COMPANY HAS EXPERIENCED IN THE LAST FEW YEARS Open Cloud - You’ll also note from looking at our logo in the upper left of the page….that we are branding our company as the “Open Cloud” company. As a founding member of the OpenStack community, we are committed to leveraging open technologies such as OpenStack to minimize technology lock-in and maximize flexibility. It means that we want to give our customers the choice to run their applications on infrastructure best suited to their particular application/workload. finally, Rackspace is the leader in Gartner’s Magic Quadrant for Managed Hosting….which really is a testament to our broad portfolio and the service we provide branded as Fanatical Support
  2. Vision Everyone at Rackspace can tell you our vision, a vision that we all support to become the world’ s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “ a phone company. ” And, when was the last time you got great service from your mobile carrier or home phone company? PAUSE BUT, YOU CANNOT JUST HAVE A VISION TOO…
  3. Vision Everyone at Rackspace can tell you our vision, a vision that we all support to become the world’ s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “ a phone company. ” And, when was the last time you got great service from your mobile carrier or home phone company? PAUSE BUT, YOU CANNOT JUST HAVE A VISION TOO…
  4. Vision Everyone at Rackspace can tell you our vision, a vision that we all support to become the world’ s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “ a phone company. ” And, when was the last time you got great service from your mobile carrier or home phone company? PAUSE BUT, YOU CANNOT JUST HAVE A VISION TOO…
  5. Vision Everyone at Rackspace can tell you our vision, a vision that we all support to become the world’ s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “ a phone company. ” And, when was the last time you got great service from your mobile carrier or home phone company? PAUSE BUT, YOU CANNOT JUST HAVE A VISION TOO…