Join the conversation #devseccon

Building an Application Vulnerability Toolchain for SecDevOps

By Abhay Bhargav, CTO - we45

Quick Intro

• Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive

Guide • Passionate about Automation in

Security • Avid Pythonista • Trainer and Workshop Lead for

Security Training Workshops

The reason I got into this….

This is where we operate…

End-to-end IT Development and Operations value

Plan

Code

Build

Test

Release

Deploy

Operate

DevOps

Continuous Delivery

Continuous Integration

Agile development

Our Learnings - 1

• Leverage Automation for anti-fragile apps

• Automation is a ‘misused‘ word.

• Does NOT mean replace all human effort

• It means, LEVERAGE human effort where it really adds value

• REUSE human effort to generate actions

Our Learnings

Identify how to test

Leverage the best

Build the rest

And correlate!

Identify How to Test with SecDevOps Strategies

• Objective: Identify implementation that makes sense

• Stack

• Platform

• How Agile are you?

• Existing DevOps Practices

Leverage the Best

• Great SAST, DAST, etc out there, but….

• Different Tools to different things better

• Why not leverage the best?

• Spidering?? Really?? - Scripted Walkthroughs (Instrumented) is the way to go

• What about Exploits?

• Dockerize FTW!

Instrumenting and Testing REST API

• Spidering Web Services/RESTful API is not feasible • Existing Test tools IMHO, are really not meant for Security Testing • We built a tool: • Chain API Requests + Variables • Data passed to Requestor from a YAML spec (easy to generate) • Built-in Fuzzer that works with JSON - Mapping JSON for Variables, etc

• When passed with BurpSuite/ZAP/etc - Results are powerful

Target App

w3af

OWASP ZAP

BURPSuite Professional

Custom Automation/SAST

Correlation

False positive elimination

Enhanced intelligence

Forward integration

JIRA/ Bugzilla

1

2

3

4Orchestration

framework

Build the Rest

• Exploits

• Orchestration Framework

• Granular Control over the Testing

Process

• Correlation

Correlate

• Correlate Data from across

• Generic DAST Scans

• Custom Automation

• SAST

• NoSQL DBs are suited for it

• Attack Surface Mapping - is a Great

idea!

Tools of our Trade - Where you start….

• Docker • Selenium, Python-Requests, YAML, XVFB • SAST Tools - Commercial and Open

Source • Platform AST Impl • OWASP ZAP + python API • W3af + Python API • BurpSuite Pro + Jython API • ElasticSearch

Join the conversation #devseccon

Thank you!

Twitter: @abhaybhargav Linkedin: linkedin.com/in/abhaybhargav Blog: we45.com/blog