creating an appsecpipeline with containers in a week · 2020-01-17 · creating an appsecpipeline...
TRANSCRIPT
CreatinganAppSec PipelinewithcontainersinaweekHowwefailedandsucceeded
JeroenWillemsen– OWASPbenelux days
Agenda
• Thechallenge
• Thesolution
• Bumps onthe road
• Recap
THECHALLENGE
Whatcouldpossiblygowrong?
TheChallenge
TheChallenge:TheLandscape
TheChallenge:Existingworkflow
ReadyforValidation
E2ETest
DeploytoDev
UnitTest
StoreArtifact
BuildPull&Merge
TheChallenge:Newentries
• OWASPDependency-Check• Licensecheckers•
•
• Etc…
& & SAST
THESOLUTION
Wegotthere…kindoff
TheSolution:Extend the build step
Add dependency &license checkersontopofquality tooling.
GetfeedbackFAST!
TheSolution:Feeding ZAP&BURP
E2ETestwithproxy
Scheduledlongscans
DeploytoDev
UnitTest
StoreArtefact
BuildPull&Merge
Quickscan
TheSolution:DAST&reporting
TheSolution:Clair
• RunClaironthecreatedcontainers.
• Todo:runClairregularlyontheregistry,addwhitelists&integratewithThreadfix.– Bynowthiscouldbedonedifferentlyusingtheclair-scannerfromArminC.
TheSolution:Containerize!
• Ourtoolsembeddedincontainers:+ Lessadditionalplatformcomplexities+Canrunanywhere(locally/deployed)+ Easytoscale- Stillneedtomanagethedata!- Moreassetsthatmightcontainvulnerabilities- Notperfect:stillhavetohardenourassets
TheSolution:Astartingpoint
./clair-scannerapp/threadfix example-whitelist.yamlhttp://10.200.98.63:606010.200.98.632017-05-1210:50:19.712897I|Analyzing014fdc7e45e4e7c5967856fc65d7bb5ff0b324fe4ef1ac8ce448843ab310416aAnd9otherlayers...Giving:2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]
Examplescanwithalaterversionoftheclair-scannerbyArminCoralic:
TheSolution:Astartingpoint
• 2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]– Avulnerabilitywhencreatingthecontainer– Notusedduringruntime– Claircannotpickupthelayersinwhichyoucreateyourowncustomtooling(yourownjar’s,executables,etc.)
TheSolution:Did it work?
YES!Not all components arein,
butfeedbackisalready ofgreat value
BUMPSONTHEROAD
And their countermeasures
Bump1:Falsepositives
Bump1:Falsepositives
• Use settings/plugins inappà noscaling.
• Use aDBwith aframework:
• Havean API&
Bump2:LegacyAPIs
X
Bump2:LegacyAPIs
TestlegacyAPIsseparatelyL
Stubit,withthehelpoftheteams
Bump3:Notfrustratedevelopers
• Give feedbackfast!• Automate all the things!• Bepartofthe team• Filter&suppress false positives ASAP• Use known tooling
Bump4:IntegratingBurpproxy
• IntegrationwithBurpisnotcompleted– Custombuildsforcontainers– Attimeoftesting:AdditionalextensionsnecessarytohaveaproperRESTAPI
Bump5:Falsenegatives….
Securityautomationdoesnotmean:nomanualpentesting.
Evenwhenyouaddmoretools(whichwehaveto…).
Bump6:Platformteamavailability
Lessonlearnedlateron….
• Theneedformultiplepipelines…
Appsec-pipeline:
Lessonlearnedlateron….
• Theneedformultiplepipelines…
Appsec-pipeline:
Securitypipeline:
Nmap
….
Lessonlearnedlateron
• UsetheSWAGGERApi ifpossible• Soooooooo manytoolstouse:– Docker?ThinkofDockerBench,OpenSCAP,Anchore,etc…– Infrastructure?Startwith OpenVAS,OpenSCAP,Inspec– Inspectcertificates:SSLlabs,testSSL.sh– Everylanguagehasitsquality&securitytooling
RECAP
To sum up
Recap
• Automateallthethings:getfeedbackFAST.• Containerize• Filterfalsepositives• StublegacyAPIs• HELPdevelopers,DONOTfrustrate!• Stillaneedformanualpentesting &reviewing.• Getplatform-teamsupport!• Everypartofthepipelineisablessing!
QUESTIONS?
THANKYOU!