Download - DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps
![Page 1: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/1.jpg)
Join the conversation #devseccon
Building an Application Vulnerability Toolchain for SecDevOps
By Abhay Bhargav, CTO - we45
![Page 2: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/2.jpg)
Quick Intro
• Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive
Guide • Passionate about Automation in
Security • Avid Pythonista • Trainer and Workshop Lead for
Security Training Workshops
![Page 3: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/3.jpg)
The reason I got into this….
![Page 4: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/4.jpg)
This is where we operate…
End-to-end IT Development and Operations value
Plan
Code
Build
Test
Release
Deploy
Operate
DevOps
Continuous Delivery
Continuous Integration
Agile development
![Page 5: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/5.jpg)
Our Learnings - 1
• Leverage Automation for anti-fragile apps
• Automation is a ‘misused‘ word.
• Does NOT mean replace all human effort
• It means, LEVERAGE human effort where it really adds value
• REUSE human effort to generate actions
![Page 6: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/6.jpg)
Our Learnings
Identify how to test
Leverage the best
Build the rest
And correlate!
![Page 7: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/7.jpg)
Identify How to Test with SecDevOps Strategies
• Objective: Identify implementation that makes sense
• Stack
• Platform
• How Agile are you?
• Existing DevOps Practices
![Page 8: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/8.jpg)
Leverage the Best
• Great SAST, DAST, etc out there, but….
• Different Tools to different things better
• Why not leverage the best?
• Spidering?? Really?? - Scripted Walkthroughs (Instrumented) is the way to go
• What about Exploits?
• Dockerize FTW!
![Page 9: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/9.jpg)
Instrumenting and Testing REST API
• Spidering Web Services/RESTful API is not feasible • Existing Test tools IMHO, are really not meant for Security Testing • We built a tool: • Chain API Requests + Variables • Data passed to Requestor from a YAML spec (easy to generate) • Built-in Fuzzer that works with JSON - Mapping JSON for Variables, etc
• When passed with BurpSuite/ZAP/etc - Results are powerful
![Page 10: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/10.jpg)
Target App
w3af
OWASP ZAP
BURPSuite Professional
Custom Automation/SAST
![Page 11: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/11.jpg)
Correlation
False positive elimination
Enhanced intelligence
Forward integration
JIRA/ Bugzilla
1
2
3
4Orchestration
framework
![Page 12: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/12.jpg)
Build the Rest
• Exploits
• Orchestration Framework
• Granular Control over the Testing
Process
• Correlation
![Page 13: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/13.jpg)
Correlate
• Correlate Data from across
• Generic DAST Scans
• Custom Automation
• SAST
• NoSQL DBs are suited for it
• Attack Surface Mapping - is a Great
idea!
![Page 14: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/14.jpg)
Tools of our Trade - Where you start….
• Docker • Selenium, Python-Requests, YAML, XVFB • SAST Tools - Commercial and Open
Source • Platform AST Impl • OWASP ZAP + python API • W3af + Python API • BurpSuite Pro + Jython API • ElasticSearch
![Page 15: DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps](https://reader031.vdocuments.mx/reader031/viewer/2022030313/58ed3f131a28abae688b461b/html5/thumbnails/15.jpg)
Join the conversation #devseccon
Thank you!
Twitter: @abhaybhargav Linkedin: linkedin.com/in/abhaybhargav Blog: we45.com/blog