Embed Size (px)
Citation preview
Automating OWASP tests within your CICD Process
© 2016 eGlobalTech. All rights reserved.
Rajiv Kadayam
Tech Strategy
2
I’VE GOT A FEVER
AND THE ONLY PRESCRIPTION ISMORE SECURE SOFTWARE !!
3
86% of websites contain at least one serious vulnerability
Make vulnerability remediation process faster and easier
Visibility, Accountability and Empowerment
4
OWASP ?
Make software security visible, so that individuals and organizations are able to make informed decisions
https://www.owasp.org
Popular Project - OWASP Top 10 security flaws
5
Source Control
Release Candidate
BuildAutomated Testing• Unit• Functional• Integration
Staging / Production
Web App Penetration
Testing
Backlog
Multiple daily/weekly iterations
Web App Penetration testing is conducted very late in the process
Disconnected Agile Development & OWASP Testing
6
Source Control
Release Candidate
BuildAutomated Testing• Unit• Functional• Integration• Static Code Scan
Staging / Production
Web App Penetration
Testing
Backlog
Static code scanning is helpful but not sufficient
Disconnected Agile Development & OWASP Testing
Less time to fix – Unhappy Teams
7
Source Control
Release Candidate
BuildAutomated Testing• Unit• Functional• Integration
Staging / Production
Web App Penetration
Testing
Backlog
Vulnerabilities leak through into production
How do we fix this ?
Remediation Cost = Number of FTEs x Time
Managers
Agile TeamsOperations
Cybersecurity
8
Source Control
Release Candidate
BuildAutomated Testing• Unit• Functional• Integration
Staging / Production
Iterative / Agile Development
Security Penetration
Testing
Backlog
Visible and actionable details on failures and errors
Build Quality Report
Push to the left of the process
Integrate & Automate
9
Source Control
Release Candidate
BuildAutomated Testing
• Unit• Functional• Integration• Security Penetration Testing
Staging / Production
Backlog
Build Quality Report- Test Execution Results- Security Vulnerabilities
Enables developers to remediate issues faster
Dev/Test Env
Espial – Integrate OWASP Testing in CI/CD
Gauntlt
10
Source Control
Release Candidate
BuildAutomated Testing
• Unit• Functional• Integration• Security Penetration Testing
Staging / Production
Backlog
Build Quality Report- Test Execution Results- Security Vulnerabilities
Security By Design - True DevSecOps !
Enables automated FISMA/NIST Security Compliance
Dev/Test Env
Espial – Integrate OWASP Testing in CI/CD
Gauntlt
11
BodgeIt-PlusStore front app with some vulnerabilities
• Cross Site Scripting
• SQL injection
Espial Demo – Sample App and Code
12
- Build and Deploy to Test env
- OWASP Zap runs penetration tests
- Produce vulnerability report and integrate within Jenkins
Espial Demo – Continuous Integration Kicks-in
13
Espial Demo – Security Vulnerabilities Report
14
Espial Demo – Security Vulnerabilities Report Drill Down
15
Developer fixes the code
Fixed code checked-in
Continuous Integration Kicks-In
Espial Demo – Remediation of SQL Injection
Source Control
16
Espial Demo – SQL Injection Vulnerability Remediated
17
Based on 100% open source tools
- Core Tools- Gauntlt
- OWASP Zap
- Supporting Tools- Jenkins (can adapt to Bamboo, TeamForge, etc)
- Vagrant, Docker (Puppet/Cloud-Forms, Chef, or Ansible)
Espial Demo – Tools and Technologies
18
• Clear and continuous visibility of security vulnerabilities
• Eliminates risk of vulnerabilities creeping in
• Save time, money and resource utilization
Espial – Key Features and Benefits
19
• Implementation at federal DevOps projects
• Richer integration with Jenkins2, SonarQube
• Automate Issue tracking with Git, JIRA, and similar
Comments / Suggestions - [email protected]
Espial – What’s Next ?
20
