devseccon asia 2017 - abhay bhargav: building an application vulnerability toolchain for secdevops
TRANSCRIPT
Join the conversation #devseccon
Building an Application Vulnerability Toolchain for SecDevOps
By Abhay Bhargav, CTO - we45
Quick Intro
• Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive
Guide • Passionate about Automation in
Security • Avid Pythonista • Trainer and Workshop Lead for
Security Training Workshops
The reason I got into this….
This is where we operate…
End-to-end IT Development and Operations value
Plan
Code
Build
Test
Release
Deploy
Operate
DevOps
Continuous Delivery
Continuous Integration
Agile development
Our Learnings - 1
• Leverage Automation for anti-fragile apps
• Automation is a ‘misused‘ word.
• Does NOT mean replace all human effort
• It means, LEVERAGE human effort where it really adds value
• REUSE human effort to generate actions
Our Learnings
Identify how to test
Leverage the best
Build the rest
And correlate!
Identify How to Test with SecDevOps Strategies
• Objective: Identify implementation that makes sense
• Stack
• Platform
• How Agile are you?
• Existing DevOps Practices
Leverage the Best
• Great SAST, DAST, etc out there, but….
• Different Tools to different things better
• Why not leverage the best?
• Spidering?? Really?? - Scripted Walkthroughs (Instrumented) is the way to go
• What about Exploits?
• Dockerize FTW!
Instrumenting and Testing REST API
• Spidering Web Services/RESTful API is not feasible • Existing Test tools IMHO, are really not meant for Security Testing • We built a tool: • Chain API Requests + Variables • Data passed to Requestor from a YAML spec (easy to generate) • Built-in Fuzzer that works with JSON - Mapping JSON for Variables, etc
• When passed with BurpSuite/ZAP/etc - Results are powerful
Target App
w3af
OWASP ZAP
BURPSuite Professional
Custom Automation/SAST
Correlation
False positive elimination
Enhanced intelligence
Forward integration
JIRA/ Bugzilla
1
2
3
4Orchestration
framework
Build the Rest
• Exploits
• Orchestration Framework
• Granular Control over the Testing
Process
• Correlation
Correlate
• Correlate Data from across
• Generic DAST Scans
• Custom Automation
• SAST
• NoSQL DBs are suited for it
• Attack Surface Mapping - is a Great
idea!
Tools of our Trade - Where you start….
• Docker • Selenium, Python-Requests, YAML, XVFB • SAST Tools - Commercial and Open
Source • Platform AST Impl • OWASP ZAP + python API • W3af + Python API • BurpSuite Pro + Jython API • ElasticSearch
Join the conversation #devseccon
Thank you!
Twitter: @abhaybhargav Linkedin: linkedin.com/in/abhaybhargav Blog: we45.com/blog