Code review and security audit in private cloud - Arief Karfianto

Download as PPTX, PDF

0 likes1,495 views

This document discusses implementing code review and security in a private cloud environment. It outlines some common problems that occur during app development like bugs, errors, and lack of version control. The document then proposes hosting source code in a private cloud repository for improved security, availability, and compliance. It describes using tools like Git, Gitweb and VPN access to implement a flexible source code management system in the cloud with role-based access control and snapshot capabilities.

Technology

Code Review and Security
Audit in Private Cloud
@karfianto
UKP4

About Me
• UPN alumnus
• civil cervant
• sysadmin
• system analyst
• app tester

Things I Like
• foss
• website optimization
• system security
• wireframing

Problems in App Development
• design
• functionality test
• security test
• maintenance

Problem: Maintenance
From: sysadmin
Hi Developers,
There’s a bug in your app
From: postmaster
Error
User not found dude@expert.com

Security Test
• Blackbox
• Greybox
• Whitebox (Code Review)

Problem: Access to Source
Code
From: Developers
Hi sysadmin,
We found some bugs in the
app, we will patch soon
From: Sysadmin
Hi developer,
Username: root
Password: 123456

Problem: No Changes History
From: Developers
Hi sysadmin,
We found some bugs in the
app, we will patch soon
From: Sysadmin
Hi developer,
Please send me the
changed php files..

500 Internal Server Error
From: Sysadmin
Hi developer,
There’s another error after
patching. Please roll them
back ..!!

Let’s Make Our Job Easier
• Create source code repository
• Use versioning
• Control user access to the code
• No access to production servers

Make It Private
• security
• availability
• policy compliance (e.g. iso27001)

...and Flexible
Using Cloud Infrastructure
• Flexible Resource
• Cloning
• High Availability
• Snapshot and Restore

Related Tools
• Git : a version control system
• Gitweb : the git web interface
• Gitosis : repository access control
• VPN & SSH : tunneled access

Creating a Repository
root@revision-control ~# ./addrepo.sh
Please enter repository name and description
Name :sample-app2
Description :Sample application 2.0
Creating a repository...
Initialized empty Git repository in /srv/repos/git/sample-app2/.git/
# On branch master
#
# Initial commit
#
nothing to commit (create/copy files and use "git add" to track)
Cloning into bare repository repositories/sample-app2.git...
done.
warning: You appear to have cloned an empty repository.
[Done]

Gitosis Config
Copy the public key to server
Then edit gitosis.conf..
[group sample-app2]
writable = sample-app2
members = intruder@LENOVOY460
John@Doe.PC

More Related Content

What's hot (20)

ODP

Introduction to Git(BitBucket) , Continuous Integration (Bamboo) & Confluence Parag Gajbhiye

PPTX

Testing Without a GUI Using TestCompleteSmartBear

PPTX

C#: Past, Present and FutureRodolfo Finochietti

PDF

T23 HTML5 Security Testing at SpotifyTechWell

PPTX

Build PWA with Ionic ToolkitPavel Kurnosov

PPTX

How to keep Jenkins logs forever without performance issuesLuca Milanesio

PPTX

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon

PPTX

Azure FunctionsRodolfo Finochietti

PPTX

Meteor AngularPavel Kurnosov

PPTX

Forcelandia Salesforce CIDaniel Hoechst

PPTX

CloudFest 2018 Hackathon Project Results Presentation - CFHack18Jeffrey J. Hardy

PDF

Travis CIАнете Аннемария

PDF

Reach the next level with PowerShellJaap Brasser

PDF

Product update 1 2018🌍 Job van der Voort

PDF

Automating security with PowerShellJaap Brasser

PPTX

Tanner Ellen - Forcelandia 2016 - Dev Stack.pptxSeedCode

PPTX

Azure DevOps Overview [Arabic]ahmadezzeir

PDF

Hello world - intro to node jsRefresh Annapolis Valley

PDF

Divine and felonios cyber security devopsdays austin 2018John Willis

PDF

Next Generation Infrastructure - Devops Enterprise Summit 2018John Willis

Introduction to Git(BitBucket) , Continuous Integration (Bamboo) & Confluence Parag Gajbhiye

Testing Without a GUI Using TestCompleteSmartBear

C#: Past, Present and FutureRodolfo Finochietti

T23 HTML5 Security Testing at SpotifyTechWell

Build PWA with Ionic ToolkitPavel Kurnosov

How to keep Jenkins logs forever without performance issuesLuca Milanesio

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon

Azure FunctionsRodolfo Finochietti

Meteor AngularPavel Kurnosov

Forcelandia Salesforce CIDaniel Hoechst

CloudFest 2018 Hackathon Project Results Presentation - CFHack18Jeffrey J. Hardy

Travis CIАнете Аннемария

Reach the next level with PowerShellJaap Brasser

Product update 1 2018🌍 Job van der Voort

Automating security with PowerShellJaap Brasser

Tanner Ellen - Forcelandia 2016 - Dev Stack.pptxSeedCode

Azure DevOps Overview [Arabic]ahmadezzeir

Hello world - intro to node jsRefresh Annapolis Valley

Divine and felonios cyber security devopsdays austin 2018John Willis

Next Generation Infrastructure - Devops Enterprise Summit 2018John Willis

Similar to Code review and security audit in private cloud - Arief Karfianto (20)

PPTX

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates

PPTX

Git Ninja (bigapp KT)Ashok Kumar

PDF

LasCon 2014 DevOoops Chris Gates

PDF

Inside GitHuberr

PDF

Inside GitHub with Chris WanstrathSV Ruby on Rails Meetup

PDF

DevOops & How I hacked you DevopsDays DC June 2015Chris Gates

PPTX

Securing the continuous integrationIrene Michlin

PDF

Git Workshop : Git On The ServerWildan Maulana

PDF

Assign, commit, and review - A developer’s guide to OpenStack contribution-20...OpenCity Community

PDF

Git 101 for CloudStackSebastien Goasguen

PDF

Startup Camp - Git, Python, Django sessionJuraj Michálek

PDF

Assign, Commit, and ReviewZhongyue Luo

PDF

Gerrit linuxtag2011thkoch

PDF

Extending GitHub to Meet your Open Source PolicyFINOS

PDF

Github - Git Training Slides: FoundationsLee Hanxue

PDF

Ln monitoring repositoriessnyff

KEY

How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup

PPTX

Something Died Inside Your Git RepoCliff Smith

PDF

Developing Rails Apps in Technical IsolationJesus Jackson

PDF

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs PROIDEA

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates

Git Ninja (bigapp KT)Ashok Kumar

LasCon 2014 DevOoops Chris Gates

Inside GitHuberr

Inside GitHub with Chris WanstrathSV Ruby on Rails Meetup

DevOops & How I hacked you DevopsDays DC June 2015Chris Gates

Securing the continuous integrationIrene Michlin

Git Workshop : Git On The ServerWildan Maulana

Assign, commit, and review - A developer’s guide to OpenStack contribution-20...OpenCity Community

Git 101 for CloudStackSebastien Goasguen

Startup Camp - Git, Python, Django sessionJuraj Michálek

Assign, Commit, and ReviewZhongyue Luo

Gerrit linuxtag2011thkoch

Extending GitHub to Meet your Open Source PolicyFINOS

Github - Git Training Slides: FoundationsLee Hanxue

Ln monitoring repositoriessnyff

How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup

Something Died Inside Your Git RepoCliff Smith

Developing Rails Apps in Technical IsolationJesus Jackson

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs PROIDEA

More from idsecconf (20)

PDF

IDSECCONF2024 Capture The FLag Write up - 3 MAS MASidsecconf

PDF

IDSECCONF2024 - Rifqi Hilmy Zhafrant - Hunting and Exploiting GraphQL Vulnera...idsecconf

PDF

IDSECCONF2024 - Arief Karfianto - AI-Enhanced Security Analysis in Requiremen...idsecconf

PDF

IDSECCONF2024 - Ryan Fabella, Daniel Dhaniswara - Keamanan Siber Pada Kendara...idsecconf

PDF

IDSECCONF2024 - Angela Oryza - ITS Nabu-Platform Pelatihan Keamanan Siber den...idsecconf

PDF

IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdfidsecconf

PDF

IDSECCONF2024 - Muhammad Dwison - The Implementation Of One Pixel Attack To S...idsecconf

PDF

IDSECCONF2024 - Kang Ali - Local LLM can Simulate Apt Malware With Jailbreak ...idsecconf

PDF

IDSECCONF2024 - Brian Nasywa - Comparison of Quantum Key Distribution Protoco...idsecconf

PDF

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf

PDF

idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf

PDF

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf

PDF

idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf

PDF

idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf

PDF

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf

PDF

idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf

PDF

Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf

PDF

Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf

PDF

Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf

PDF

Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf