Implementation an Application Security Pipeline in Jenkins

• Introduction• Continuous Integration • Application Security Pipelines• Approaches in Jenkins• Demo

About me

Software Security Professional having 10+ years of experience

Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Continuous Security Testing Secure Coding Trainer, SecurityQA Testing Trainer Speaker DevSecOps Singapore & Null Singapore

What next for me ? IoT Security

Continuous Integration

Master

Branch1

Compile

Test Publish

Deploy

Build

GitHub Jenkins Dev Deploy

Open Source Libraries

Application Security Pipeline

DEVELOPMENT

BUILD AND DEPLOY STAGINGREQUIREMEN

TS

External Repositori

esCommon Components

DESIGN

Repository

SCM Tools

Security Test Automation

Threat Modeling

SCA Tools/IDE Plugins

VS/PT/IASTComponents Monitoring

PRODUCTION

Monitoring

What we need ?

People

TechnologyProcess

• People Training Role

• Process Compliance Certifications

• Technology Security tools Dev tools

Education

• Traditional Training • Shorter training duration• Modular • Hands-on • Challenges• Scoring

• Rugged Software “Rugged” describes software development organizations which have a

culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software.

• BSIMM The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is

a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique.

• OWASP SAMM Evaluate an organization’s existing software security practices Build a balanced software security assurance program in well-defined

iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities throughout an organization

Software security centric process, standards & approaches

Choose the right tools

IDE Plugins

SAST/Dependenci

es check

• CI/CD Supports• Scalability• Scan time• Incremental

Report• False Positives• Custom Rules

Set• Language

Supports• Plugins

DAST

• API Calls• Scalability• Scan Policies• Plugins

Security Unit test

CasesIAST

• Less False Positives

• Monitor Traffic• Along with QA

testing

• Immediate Feedback

• Threat Modelling

Secure Coding Training

Jenkins Application Security Pipeline

• Configuration as Code• Jenkins Plugin

Plugins

Github Delivery Pipeline Build Pipeline OWASP Dependency-Check Plugin HP Fortify Jenkins Plugin OWASP ZAP Plugin Sonatype CLM for CI plugin

Feedback loop

SAST

DAST

SecurityQA

VS/Fuzzing

IAST

02468

10

Analytics DB

Security metrics template

References

Jenkins Continuous integration cookbook-Alan Mark Berg https://www.ruggedsoftware.org https://www.bsimm.com https://www.owasp.org/index.php/OWASP_SAMM_Project http://www.opensamm.org/ https://wiki.jenkins-ci.org/display/JENKINS/Delivery+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Build+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin

http://www.sumansourav.com

Thank you