put yourself in the appsec pipe - paolo perego - codemotion milan 2016
TRANSCRIPT
$ whoami• 15 anni nell’industria #itsec
• Tech blogger @codiceinsicuro
• ❤ sviluppare security source code scanners (Owasp Orizon, dawnscanner)
• ❤ tenere talk su temi di #appsec
• Seguimi su @thesp0nge
Agenda
• Talk about testing scenarios
• Talk about what an appsec pipe is and what do you need to create one
• Be inspired, go home and do some homework
The unacceptable solution…
• Tests must be done:
• in production environment
• before going live
• Testers need:
• the code being frozen
• some “fake” accounts
• a couple of week to do the job
… for a difficult task• Products can not delay time to market
release to allow security tests
• Tests must be performed on each release
• Often companies do releases on a weekly basis
• There are no fake accounts on a production server
• Code is never on a frozen state
• This applies to web properties and mobile applications
• Tests are not sawn as investment
Before we start
• We need
• Commitment
• An organised SDLC
• A development team aware about #appsec topic
• An #appsec team (with patience and some coding skills)
Then we can build the #appsec pipeline(https://www.owasp.org/index.php/OWASP_AppSec_Pipeline)
The collector toolA way for our customer to ask for services, keep track about the progress and
having results back
Your favourite collection of #appsec toolsYou may want to cover vulnerability assessment, penetration test, web application
penetration test and code review at least. Keep calm and let’s go shopping.
The OrchestratorYour customers ask for services, you need an automatic dispatcher mechanism to
the appropriate tool. Of course you need also something retrieving results too.
The ticketing systemYou need something to keep track about vulnerabilities, about their history and
their state.
A Grape based orchestrator to run tool in our pipelineVery alpha - Opensource - Integrates Nmap, Dawnscanner and Owasp ZAP
Some tools to check• Sinatra with Grape (create HTTP API
endpoints)
• Owasp ZAP (WAPT on steroids)
• Owasp DeepViolet (check your SSL config)
• Nexpose + nexpose gem (automate vulnerability assessment)
• Brakeman/Dawnscanner (ultimate ruby code review)
• Owasp Orizon (Java security code review)
• Owasp GLUE gem (pipeline related tool)
• Canaveral (a Grape based orchestrator for your pipeline)