ReducingthefrictionofvulnerabilityscanningincontinuousintegrationAllanCascante

LegalNotices

Thispresentationisforinformationalpurposesonly.INTELMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISSUMMARY. Nocomputersystemcanbeabsolutelysecure.

IntelandtheIntellogoaretrademarksofIntelCorporationintheU.S.and/orothercountries.

*Othernamesandbrandsmaybeclaimedasthepropertyofothers.

Copyright© 2018,IntelCorporation.Allrightsreserved.

AboutMe

@allancascante

http://linkedin.com/in/allancascante

Some Key Terms• SAST– StaticApplicationSecurityTesting• DAST– DynamicApplicationSecurityTesting• SecurityTesting– Validatingsoftwareforvulnerabilities• DevOps– Culturalchangetobringdevelopmentandoperationstogether

• DevSecOps – DevOps+Security• CI- ContinuousIntegration• CD- ContinuousDelivery• DeliveryPipeline– AutomatedProcesstoDeliverSoftware.

HOWTOGOFASTANDSECURELY?Whendevelopingsoftware

ContinuousDelivery(Pipeline)

* Continuous Delivery. Reliable Software Releases through Build, Test, and Deployment Automation. by Jez Humble and David Farley.

Lack of alignment

=0• DifferentDirectionandGoals

• LackofAlignmentCanceleachotherout

• Feelingofconstantworkwithnorealprogress

Walls of confusion

Business Development

Operations

InfoSec

Dev

OpsSec

Dev

Ops

QA

Sec

Biz

...

WhyDevOps?

Waterfall

Plan Code Build Test PrepareDeploy

Deploy Monitor Operate

Years,Months,Weeks

SDL

https://social.technet.microsoft.com/wiki/contents/articles/7100.the-security-development-lifecycle.aspx

DevOps Process

Continuously(days,hours,minutes)http://www.northcrossgroup.com/capabilities/devops/index.php

Our Problem• SASTandDASTprocesswhereslowandtimeconsuming

• DeploymentsweregatedduetohavingtocompleteStaticandDynamicanalysis

• Wewereaskedtogofasterbutstillbecomplaintwith(our)InfoSecrequirements

• Savetimebyautomatingscanmanualprocess• DAST&SASTdurationwasnon-deterministic

HOWCANWEINTEGRATESECURITYGATES?

IntheDevOpsflow

ContinuousDelivery(Pipeline)

* Continuous Delivery. Reliable Software Releases through Build, Test, and Deployment Automation. by Jez Humble and David Farley.

SAST

DAST

PenTest

StaticApplicationSecurityTesting

• Findsecuritybugs• ‘Faster’insideout• Readsyourcode• Worksatrest

CommitStage

Commit Compile Tests Assemble

CodeAnalysis• SAST• CodeQuality

IntegratedSASTProcess

ToolstoIntegrateyourOwn

• Git (Git Hub*)• Jenkins*• SonarQube*• AnyOWASPSonarQube ProjectPlugin

*Namesandbrandsarethepropertyoftheirrespectiveowners

OpenSourceAlternative

DynamicApplicationSecurityTesting

• Find‘other’securitybugs• ‘Slower’outsidein• Playswithyourapplication• Worksatplay

AcceptanceStage

ConfigureEnvironment

DeployBinaries SmokeTests Acceptance

Test DAST

IntegratedDASTProcess

GOINGFURTHER,SECURITYTESTING

Integratingmoresecurityvalidationsintoourdeliverypipeline

Why?

• Enhancedassurance• Fasterfeedback• Innovation• DASThassome‘deficiencies’

ZAPIntegrationintoourpipeline

*

Advantagesinthenewapproach

• Acceptancetestallowa‘knowledgeable’scanwithZAP

• ReportingfromZAPintegratedintobuildsgivetraceability

• Easyintegration,justneededtochangeproxysettingsintothetestingboxes

SomeHighlights

• WhileDASTandSASTshowednoissues,ZAPreportedvulnerabilities

• ZAPapproachturnedtobefasterthanDASTorSASTscans

• ZAPscandurationisdeterministic(sameasacceptancetests)

• AccordingtoStateofDevOpshighperformerteamsspend50%lesstimeremediatingsecurityissues