CreatinganAppSec PipelinewithcontainersinaweekHowwefailedandsucceeded

JeroenWillemsen– OWASPbenelux days

Aboutme

JeroenWillemsen@commjoeniejwillemsen@xebia.com

“Securityarchitect”“Full-stackdeveloper”“Mobilesecurity”

Agenda

• Thechallenge

• Thesolution

• Bumps onthe road

• Recap

THECHALLENGE

Whatcouldpossiblygowrong?

TheChallenge

TheChallenge:TheLandscape

TheChallenge:Existingworkflow

ReadyforValidation

E2ETest

DeploytoDev

UnitTest

StoreArtifact

BuildPull&Merge

TheChallenge:Newentries

• OWASPDependency-Check• Licensecheckers•

•

• Etc…

& & SAST

THESOLUTION

Wegotthere…kindoff

TheSolution:Extend the build step

Add dependency &license checkersontopofquality tooling.

GetfeedbackFAST!

TheSolution:Feeding ZAP&BURP

E2ETestwithproxy

Scheduledlongscans

DeploytoDev

UnitTest

StoreArtefact

BuildPull&Merge

Quickscan

TheSolution:DAST&reporting

TheSolution:Clair

• RunClaironthecreatedcontainers.

• Todo:runClairregularlyontheregistry,addwhitelists&integratewithThreadfix.– Bynowthiscouldbedonedifferentlyusingtheclair-scannerfromArminC.

TheSolution:Containerize!

• Ourtoolsembeddedincontainers:+ Lessadditionalplatformcomplexities+Canrunanywhere(locally/deployed)+ Easytoscale- Stillneedtomanagethedata!- Moreassetsthatmightcontainvulnerabilities- Notperfect:stillhavetohardenourassets

TheSolution:Astartingpoint

./clair-scannerapp/threadfix example-whitelist.yamlhttp://10.200.98.63:606010.200.98.632017-05-1210:50:19.712897I|Analyzing014fdc7e45e4e7c5967856fc65d7bb5ff0b324fe4ef1ac8ce448843ab310416aAnd9otherlayers...Giving:2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]

Examplescanwithalaterversionoftheclair-scannerbyArminCoralic:

TheSolution:Astartingpoint

• 2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]– Avulnerabilitywhencreatingthecontainer– Notusedduringruntime– Claircannotpickupthelayersinwhichyoucreateyourowncustomtooling(yourownjar’s,executables,etc.)

TheSolution:Did it work?

YES!Not all components arein,

butfeedbackisalready ofgreat value

BUMPSONTHEROAD

And their countermeasures

Bump1:Falsepositives

Bump1:Falsepositives

• Use settings/plugins inappà noscaling.

• Use aDBwith aframework:

• Havean API&

Bump2:LegacyAPIs

X

Bump2:LegacyAPIs

TestlegacyAPIsseparatelyL

Stubit,withthehelpoftheteams

Bump3:Notfrustratedevelopers

• Give feedbackfast!• Automate all the things!• Bepartofthe team• Filter&suppress false positives ASAP• Use known tooling

Bump4:IntegratingBurpproxy

• IntegrationwithBurpisnotcompleted– Custombuildsforcontainers– Attimeoftesting:AdditionalextensionsnecessarytohaveaproperRESTAPI

Bump5:Falsenegatives….

Securityautomationdoesnotmean:nomanualpentesting.

Evenwhenyouaddmoretools(whichwehaveto…).

Bump6:Platformteamavailability

Lessonlearnedlateron….

• Theneedformultiplepipelines…

Appsec-pipeline:

Lessonlearnedlateron….

• Theneedformultiplepipelines…

Appsec-pipeline:

Securitypipeline:

Nmap

….

Lessonlearnedlateron

• UsetheSWAGGERApi ifpossible• Soooooooo manytoolstouse:– Docker?ThinkofDockerBench,OpenSCAP,Anchore,etc…– Infrastructure?Startwith OpenVAS,OpenSCAP,Inspec– Inspectcertificates:SSLlabs,testSSL.sh– Everylanguagehasitsquality&securitytooling

RECAP

To sum up

Recap

• Automateallthethings:getfeedbackFAST.• Containerize• Filterfalsepositives• StublegacyAPIs• HELPdevelopers,DONOTfrustrate!• Stillaneedformanualpentesting &reviewing.• Getplatform-teamsupport!• Everypartofthepipelineisablessing!

QUESTIONS?

THANKYOU!