Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Für externe Präsentationen bitte immer eine Titelfolie mit der Ressort-Farbe verwenden.
Automating Security in CI/CD PipelinesOur OWASP ZAP Journey
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
Agenda
2
1.
2.
3.
Who we are and what we do
A CI/CD pipeline and its security challenges
Dynamic Application Security Testing (DAST)
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
Who is DB Systel?
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-133
Security & Cloud are currently two of our main topics
4 DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
But the cloud is just a tool. You have to use it the right way.
5
DevOps teams= using
CI/CD pipelines
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
Who is Team Application Security Specialists @ DB Systel?What we do...
Young & agile team implementing a security development lifecycle at DB Systel
DB Systel GmbH | André König | Application Security Specialists | 2019-06-076
Project-definition Evaluation
TechnicalDesign Implementation TestConcept
Typical steps in a software development project
Non-functional Requirements
Threat and Risk Analysis
Shared Security Services and Libraries
ArchitectureReview
Coding Guidelines
Security Tests
Security Kick-Off
Sourcecode Analysis
Design Guidelines
§ P
Reference Architectures Reference Implementations
Security services we offer for our projects
Standards & Guidelines Solutions Quality Assurance
…and why we do it:Attacks on web applications are on top of the list
7
SQLi:SQL Injection
Injecting database commands through e.g. unsanitized input fields on websites
LFI:Local File Inclusion
Accessing confidential server-side files like /etc/passwd through e.g. directory traversal
XSS:Cross-Site Scripting
Injecting script-code through e.g. unsanitized input fields on websites
RFI:Remote File Inclusion
Injecting remote files into the application through e.g. unsanitized input
PHPi:PHP Injection
Injecting PHP objects through unsanitizedinput to deserialization function
Source: ENISA Threat Landscape 2017
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
...and how we do it:We provide easy to integrate services for our project teams
DB Systel GmbH | André König | Application Security Specialists | 2019-06-078
People Process
Techno-logy
App. Dev. Business Unit
Project 1
Security Business Unit
Application Security Specialists
Application Security Specialists develop
security Service
Security service is provided in image
repository
Project integrates security service in CI
pipeline
Security service is applied on every
commit
Cloud zone of project x
Project xCI Pipeline
Image repository
SAST
Dependencychecker
DAST
pullimage
crea
te &
pus
h im
age
com
mit
code
SASTDependency
check Build IntegrateTest / DAST
Agenda
9
1.
2.
3.
Who we are and what we do
A CI/CD pipeline and its security challenges
Dynamic Application Security Testing (DAST)
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
A CI/CD pipeline and its security challenges
10
Stage Security challenge Security control
Code Repository Vulnerable code (see previous slide) Static Application Security Testing (SAST) on application level
Integration Vulnerabilities in dependent libraries (same) Dependency Checker
Image Repository Vulnerable platform components (OS, Application Server, Database, ...)
Static Application Security Testing (SAST) on platform level
Running Application False negatives from all above, vulnerable configurations, ...
Dynamic Application Security Testing (DAST)
Code
Developer CodeRepository
CI/CDIntegration
Stage
ImageRepository
ContainerImage
CI/CDDeployment Stage
Running Application
Dependencies
SASTDependency
Checker
SASTDAST
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
Agenda
11
1.
2.
3.
Who we are and what we do
A CI/CD pipeline and its security challenges
Dynamic Application Security Testing (DAST)
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
Dynamic Application Security Testing (DAST)
A DAST Tool
n can perform automated security checks on a running application (i.e., in its dynamic context)
n uses well-known attack patterns for automated tests (e.g. SQL injection strings) in requests to the application
n compares the response of the application for different requests (attack patterns)
n deduces successful attacks from changes in the responses (e.g., output length)
n can also act as passive scanner for existing test sets, as intercepting proxy for manual pentesting, ...
DB Systel GmbH | André König | Application Security Specialists | 2019-06-0712
Request account details:
Name:
https://webshop.xyz
Schmidt
https://webshop.xyz
Name Credit card
Schmidt 123 456 789
Request account details:
Name:
https://webshop.xyz
Schmidt‘ OR ‘1‘=‘1
https://webshop.xyz
Name Credit card
Albrecht 456 789 123
Arnold 789 123 456
… …
Zimmermann 987 654 321
SELECT * FROM accounts WHERE name=‘Schmidt‘
SELECT * FROM accounts WHERE name=‘Schmidt‘ OR ‘1‘=‘1‘
The OWASP Zed Attack Proxy (ZAP)
13
Source: owasp.org
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
High level setup:ZAP sits between browser and Web Application
Automated scanning can be as easy as this:
But: We typically need an authenticated contextBut: ...
Performing an automated scan on Webgoat using ZAP
14 DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13
A deeper look on integrating ZAPin a CI/CD pipeline
DAST process:n Perform passive scan to
learn site tree– Parameterize passive
scan with ZAP preparation client
– Launch regular application test suite
n Perform automated scan– Parameterize and
launch scan with ZAP API client
n Generate report with ZAP report client
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-1315
ZAP preparation
client
ZAP API client
Parameterizes and launches
automated scan
Parameterizes passive scan
= ZAP Docker container
ZAP (headless
mode)
Application test suite (e.g.
Selenium tests)
Web application (web server)
= Application / Test Components
ZAP report client
GitLab
Gets scan results from ZAP, generates report, pushes report to GitLab
Code
Developer CodeRepository
CI/CDIntegration
Stage
ImageRepository
ContainerImage
CI/CDDeployment Stage
Running Application
Dependencies
SASTDependency
Checker
SASTDAST
ZAP preparation
client
ZAP API client
ZAP (headless
mode)
Application test suite (e.g.
Selenium tests)
Web application (web server)
ZAP report client
GitLab
Vulnerability management tool (e.g. Defect Dojo)
GRC tool(e.g. avedos)
ZAP export client
Outlook: Integration of DAST results in development and governance processes and tools
Performing security tests and pushing reports to Git does not fix the problems
n Development teams have to work with the results and must close vulnerabilities
n Security governance must manage risks and initiate measures on enterprise scale
We, thus, are building interfaces to integrate DAST results in
n Vulnerability management tools of development teams
n Risk / compliance management tools of CISO teams
DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-1316
„Vielen Dank für Ihre Aufmerksamkeit“ kann auch durch ein anderes Abschlusszitat oder eine Botschaft ersetzt werden.
Thank you for your attention
Please feel free to contact us:[email protected]@deutschebahn.comtommaso.nuccio@[email protected]