implementing an application security pipeline in jenkins
TRANSCRIPT
Implementation an Application Security Pipeline in Jenkins
• Introduction• Continuous Integration • Application Security Pipelines• Approaches in Jenkins• Demo
About me
Software Security Professional having 10+ years of experience
Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Continuous Security Testing Secure Coding Trainer, SecurityQA Testing Trainer Speaker DevSecOps Singapore & Null Singapore
What next for me ? IoT Security
Continuous Integration
Master
Branch1
Compile
Test Publish
Deploy
Build
GitHub Jenkins Dev Deploy
Open Source Libraries
Application Security Pipeline
DEVELOPMENT
BUILD AND DEPLOY STAGINGREQUIREMEN
TS
External Repositori
esCommon Components
DESIGN
Repository
SCM Tools
Security Test Automation
Threat Modeling
SCA Tools/IDE Plugins
VS/PT/IASTComponents Monitoring
PRODUCTION
Monitoring
What we need ?
People
TechnologyProcess
• People Training Role
• Process Compliance Certifications
• Technology Security tools Dev tools
Education
• Traditional Training • Shorter training duration• Modular • Hands-on • Challenges• Scoring
• Rugged Software “Rugged” describes software development organizations which have a
culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software.
• BSIMM The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is
a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique.
• OWASP SAMM Evaluate an organization’s existing software security practices Build a balanced software security assurance program in well-defined
iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities throughout an organization
Software security centric process, standards & approaches
Choose the right tools
IDE Plugins
SAST/Dependenci
es check
• CI/CD Supports• Scalability• Scan time• Incremental
Report• False Positives• Custom Rules
Set• Language
Supports• Plugins
DAST
• API Calls• Scalability• Scan Policies• Plugins
Security Unit test
CasesIAST
• Less False Positives
• Monitor Traffic• Along with QA
testing
• Immediate Feedback
• Threat Modelling
Secure Coding Training
Jenkins Application Security Pipeline
• Configuration as Code• Jenkins Plugin
Plugins
Github Delivery Pipeline Build Pipeline OWASP Dependency-Check Plugin HP Fortify Jenkins Plugin OWASP ZAP Plugin Sonatype CLM for CI plugin
Feedback loop
SAST
DAST
SecurityQA
VS/Fuzzing
IAST
02468
10
Analytics DB
Security metrics template
References
Jenkins Continuous integration cookbook-Alan Mark Berg https://www.ruggedsoftware.org https://www.bsimm.com https://www.owasp.org/index.php/OWASP_SAMM_Project http://www.opensamm.org/ https://wiki.jenkins-ci.org/display/JENKINS/Delivery+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Build+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin