add security testing tools to your delivery pipeline
TRANSCRIPT
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene
Add Security Testing Tools to Your Delivery
PipelineGene Gotimer
Senior Architect
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene
About Coveros• Coveros builds security-critical applications using agile methods.• Coveros Services• Agile transformations• Agile development and testing• DevOps and continuous integration• Application security analysis
• Agile & Security training• Government qualifications• DCAA approved rates and accounting• TS facility clearance
Areas of Expertise
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene
Select Clients
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene
Security Testing
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene
Information Security• Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
• The key concepts of information security include:• Confidentiality• Integrity• Availability• + Authenticity• + Non-Repudiation
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene
Security Testing• Often put off until late or ignored completely
Fix security issues and delay
release?
Release on time and accept
security risks?
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene
Return on Investment
“Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.”
-- Bruce Schneier, Schneier on Security
https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene
Security in the Delivery Pipeline
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene
Security Tools
“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
-- Bruce Schneier, Secrets & Lies
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene
Security Testing Process
1. Use tools to help detect the obvious security problems2. Remediate3. Search for less obvious security problems4. Repeat
Better security process
Fewer obvious security issues Better security
Time to find less obvious
security issues
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene
Incorporate Security Testing
Do just enough of each type of testing
early in the pipeline to determine if
further testing is justified.
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene
Tools to Consider Adding to the
Process
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene
It is easier to protect less
mvn dependency:tree
mvn dependency:analyze
mvn com.ning.maven.plugins:maven-dependency-versions-check-plugin
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene
Poor quality code is harder to maintain
… and harder to secure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene
Make sure your tests actually testMutation testing
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene
Keep libraries up-to-date
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene
Negative testing
User role testing… what should users not be able to do?
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene
Use a proxy
OWASP ZAP… and piggy-back on functional tests
passive proxyactive scanner
fuzzer
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene
Repeatable, reliable deployments… and test that through practice
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene
Audit yourself
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene
Scan the web application
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene
Scan the web server configuration
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene
Scan the system… before and after installing software
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 24@CoverosGene
Scan all the systems… don’t forget the infrastructure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 25@CoverosGene
Keep packages up-to-date
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 26@CoverosGene
Test performance… even if you just watch the trends
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 27@CoverosGene
Test the database… for security and performance
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 28@CoverosGene
Protect against hackers … even on development and test systems
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 29@CoverosGene
Continuously improve
A little better is still better.
Keep improving.
… and don’t expect perfectly secure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 30@CoverosGene
Find more tools
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 31@CoverosGene
Questions?
Gene [email protected]
@CoverosGene