creating an appsecpipeline with containers in a week · 2020-01-17 · creating an appsecpipeline...
TRANSCRIPT
CreatinganAppSec PipelinewithcontainersinaweekHowwefailedandsucceeded
JeroenWillemsen– OWASPbenelux days
TheChallenge:Existingworkflow
ReadyforValidation
E2ETest
DeploytoDev
UnitTest
StoreArtifact
BuildPull&Merge
TheSolution:Extend the build step
Add dependency &license checkersontopofquality tooling.
GetfeedbackFAST!
TheSolution:Feeding ZAP&BURP
E2ETestwithproxy
Scheduledlongscans
DeploytoDev
UnitTest
StoreArtefact
BuildPull&Merge
Quickscan
TheSolution:Clair
• RunClaironthecreatedcontainers.
• Todo:runClairregularlyontheregistry,addwhitelists&integratewithThreadfix.– Bynowthiscouldbedonedifferentlyusingtheclair-scannerfromArminC.
TheSolution:Containerize!
• Ourtoolsembeddedincontainers:+ Lessadditionalplatformcomplexities+Canrunanywhere(locally/deployed)+ Easytoscale- Stillneedtomanagethedata!- Moreassetsthatmightcontainvulnerabilities- Notperfect:stillhavetohardenourassets
TheSolution:Astartingpoint
./clair-scannerapp/threadfix example-whitelist.yamlhttp://10.200.98.63:606010.200.98.632017-05-1210:50:19.712897I|Analyzing014fdc7e45e4e7c5967856fc65d7bb5ff0b324fe4ef1ac8ce448843ab310416aAnd9otherlayers...Giving:2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]
Examplescanwithalaterversionoftheclair-scannerbyArminCoralic:
TheSolution:Astartingpoint
• 2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]– Avulnerabilitywhencreatingthecontainer– Notusedduringruntime– Claircannotpickupthelayersinwhichyoucreateyourowncustomtooling(yourownjar’s,executables,etc.)
Bump1:Falsepositives
• Use settings/plugins inappà noscaling.
• Use aDBwith aframework:
• Havean API&
Bump3:Notfrustratedevelopers
• Give feedbackfast!• Automate all the things!• Bepartofthe team• Filter&suppress false positives ASAP• Use known tooling
Bump4:IntegratingBurpproxy
• IntegrationwithBurpisnotcompleted– Custombuildsforcontainers– Attimeoftesting:AdditionalextensionsnecessarytohaveaproperRESTAPI
Bump5:Falsenegatives….
Securityautomationdoesnotmean:nomanualpentesting.
Evenwhenyouaddmoretools(whichwehaveto…).
Lessonlearnedlateron
• UsetheSWAGGERApi ifpossible• Soooooooo manytoolstouse:– Docker?ThinkofDockerBench,OpenSCAP,Anchore,etc…– Infrastructure?Startwith OpenVAS,OpenSCAP,Inspec– Inspectcertificates:SSLlabs,testSSL.sh– Everylanguagehasitsquality&securitytooling
Recap
• Automateallthethings:getfeedbackFAST.• Containerize• Filterfalsepositives• StublegacyAPIs• HELPdevelopers,DONOTfrustrate!• Stillaneedformanualpentesting &reviewing.• Getplatform-teamsupport!• Everypartofthepipelineisablessing!