SlideShare a Scribd company logo

AppsSec In a DevOps World

Parasoft
Parasoft

The document discusses methods for enhancing application security within a DevOps environment, focusing on strategies for 'shifting left' to address security early in the development process. It highlights the importance of coding standards, static analysis, and penetration testing, using examples like SQL injection prevention. The conclusion emphasizes that robust prevention methodologies can reduce the costs associated with software vulnerabilities.

Technology
1 of 26
Downloaded 143 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Application Security in a DevOps World Three Methods for Shifting Left
One weak spot is all it takes
Software Security Defined “Software security is the idea of engineering software so that it continues to function correctly under malicious attack.” “Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.” (Gary McGraw, Cigital) https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
Agenda DevOps and DevSecOps or is it DevOpsSec Pen-testing Static analysis & Prevention Hybrid testing
Risk management – OWASP style Prevalence Detectability Exploitability Impact
Real Business Impacts
Penetration Testing • Verify that security policy is working • Tests from the outside in • Variety of scenarios such as – Parameter fuzzing – Unexpected packets on the BUS – XML Bombs – Unauthorized Bluetooth – Unexpected TPMS
IoT specifics • Multi-layered systems • Disparate technologies • Functionality spanning across many layers
Effectiveness of Pen-testing • Labor intensive • Difficult to automate • Difficult to start early • Requires inter-team synchronization • Difficult to test error handlers • Failed tests do not provide precise information about failure points
Static Analysis Pattern •Low false positives •Fast •Prevention Focus Flow •Real bugs •Complex issues •Mirror real use •Fix focus
Fix or Prevent
Purpose of Coding Standards • “Proven programming practices leading to safe, reliable, testable, and maintainable code” • “Address potentially unsafe language features, and provide programming rules to avoid those pitfalls” • “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
Simple Prevention Process – an example Detect the error •Load testing shows leaking connections to the database Find the cause •Open connections aren’t being closed, causing resource leaks Locate the point in production that caused the error •Developer has forgotten to close db connections upon client termination Implement preventative process •Use a coding standard to ensure each open connection is closed before exit Monitor the process •Use static analysis to enforce the standard Add regression test •Add a test to see the problem was fixed and doesn’t return
Coding Defensively: Validating inputs 9 paths through the code 3 entry points The Solution = validate inputs upon entry 4 potential vulnerabilities Validate Validate Validate
Preventing SQL Injection String username = request.getParameter("USER"); String password = request.getParameter("PASSWORD"); String query = “SELECT * FROM Users WHERE username=‘” + username + "' AND password='" + password + "'"; Statement.execute(query); An attacker passes "' or 1=1" for username creating: SELECT * FROM Users WHERE username='' or 1=1 AND password='foo' Prevention: wrap input in validation: String username = validate(request.getParameter("USER")); String password = validate(request.getParameter("PASSWORD”));
Selecting Static Analysis • Severity levels • Suppressions • Code based on age Handling of Integration with SCM Integration with BugTracking (internal & field) Integration with Peer review Analytics
Hybrid Security Analysis - IAST • Penetration testing to automatically generate and run penetration attack scenarios • Runtime error detection to monitor the back- end during test execution to determine whether security is actually compromised • Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case
Hybrid Security Analysis
How to do it better? • Use stubs, mocks and service virtualization to improve testing automation – Isolate at the message layer – Simulate functional scenarios and performance conditions
Divide & Conquer with Service Virtualization Separate critical components Move testing earlier Isolate attack surfaces Run functional tests vs. security scenarios
Security Cases with Service Virtualization Virtual Services SSL Certificates Acceptable/Unacceptable System Under Test Dependent Application Accounts Database Mainframe
SQL Injection System Under Test Virtual Services Security Cases with Service Virtualization
SQL Injection Malicious Response System Under Test Security Cases with Service Virtualization Virtual Services
Conclusion • Standards and static analysis applied properly prevent errors • Integrated results provides control, measurement, and traceability • Cost of solid prevention methodology is less than the cost of dealing with bad software
Security Resources CWE – Common Weakness Enumeration • http://cwe.mitre.org CERT - Secure Coding Guidelines • https://www.securecoding.cert.org Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov Parasoft • http://www.parasoft.com
• Web – http://www.parasoft.com • IoT Hall-of-Shame – http://bit.ly/iotshame • Blog – http://alm.parasoft.com – http://codecurmudgeon.com •Social –Facebook: https://www.facebook.com/parasoftcorporation –Twitter: @Parasoft @CodeCurmudgeon –LinkedIn: http://www.linkedin.com/company/parasoft

More Related Content

What's hot (20)

PDF
Accelerate Agile Development with Service Virtualization - Czech Test
Parasoft
 
PDF
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
PPT
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
PDF
10 Steps To Secure Agile Development
Checkmarx
 
PDF
Evolving from Automated to Continous Testing for Agile and DevOps
Parasoft
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPTX
Unit testing : what are you missing for security
Suman Sourav
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
PDF
Building Security in Using CI
Coveros, Inc.
 
PPTX
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
PDF
Increasing Quality with DevOps
Coveros, Inc.
 
PDF
A Successful SAST Tool Implementation
Checkmarx
 
PPTX
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
PDF
Create code confidence for better application security
Rogue Wave Software
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Accelerate Agile Development with Service Virtualization - Czech Test
Parasoft
 
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
10 Steps To Secure Agile Development
Checkmarx
 
Evolving from Automated to Continous Testing for Agile and DevOps
Parasoft
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Unit testing : what are you missing for security
Suman Sourav
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Building Security in Using CI
Coveros, Inc.
 
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Increasing Quality with DevOps
Coveros, Inc.
 
A Successful SAST Tool Implementation
Checkmarx
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Create code confidence for better application security
Rogue Wave Software
 
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 

Viewers also liked (9)

PPTX
How to set up page margins in word 2007
Swati Sharma
 
PDF
TranscriptionPro
Carey Suante
 
PPTX
How to donate toys for tots
Swati Sharma
 
PPTX
How to increase youtube traffic
Swati Sharma
 
PPTX
Temporary jobs for freshers
Swati Sharma
 
PPTX
How to donate eyes
Swati Sharma
 
PPTX
Detect shake in phone using jquery
Swati Sharma
 
PPTX
How earn money from blog
Swati Sharma
 
DOC
CV N
Ramesh Buranna
 
How to set up page margins in word 2007
Swati Sharma
 
TranscriptionPro
Carey Suante
 
How to donate toys for tots
Swati Sharma
 
How to increase youtube traffic
Swati Sharma
 
Temporary jobs for freshers
Swati Sharma
 
How to donate eyes
Swati Sharma
 
Detect shake in phone using jquery
Swati Sharma
 
How earn money from blog
Swati Sharma
 
CV N
Ramesh Buranna
 
Ad

Similar to AppsSec In a DevOps World (20)

PPTX
Application Security 101 (OWASP DC)
mikemcbryde
 
PPTX
Software Development in the Age of Breaches
Karthik Bhat
 
PDF
Software testing: an introduction - 2017
XavierDevroey
 
PDF
The Art of Penetration Testing in Cybersecurity.
Expeed Software
 
PPTX
Null meet Code Review
Naga Venkata Sunil Alamuri
 
PPT
Code review for secure web applications
silviad74
 
PPTX
Security engineering
OWASP Indonesia Chapter
 
PPT
CohenNancyPresentation.ppt
mypc72
 
PPS
Security testing
Tabăra de Testare
 
PPTX
Software security testing
nehabsairam
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PPTX
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
PDF
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
PDF
An Introduction to Secure Application Development
Christopher Frenz
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
PPTX
Security testing
Rihab Chebbah
 
PPTX
Secure coding practices
Scott Hurrey
 
PPTX
Security Testing.pptx
osandadeshan
 
PPT
Software Security Engineering
Marco Morana
 
Application Security 101 (OWASP DC)
mikemcbryde
 
Software Development in the Age of Breaches
Karthik Bhat
 
Software testing: an introduction - 2017
XavierDevroey
 
The Art of Penetration Testing in Cybersecurity.
Expeed Software
 
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Code review for secure web applications
silviad74
 
Security engineering
OWASP Indonesia Chapter
 
CohenNancyPresentation.ppt
mypc72
 
Security testing
Tabăra de Testare
 
Software security testing
nehabsairam
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
An Introduction to Secure Application Development
Christopher Frenz
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Security testing
Rihab Chebbah
 
Secure coding practices
Scott Hurrey
 
Security Testing.pptx
osandadeshan
 
Software Security Engineering
Marco Morana
 
Ad

More from Parasoft (12)

PDF
Testing a Microservices Architecture
Parasoft
 
PDF
Software Safety and Security Through Standards
Parasoft
 
PDF
MedicAlert API Testing Case Study
Parasoft
 
PDF
End-to-end Testing for IoT Integrity
Parasoft
 
PDF
Leveraging Static Analysis to Secure Software
Parasoft
 
PDF
Are Your Continuous Tests Too Fragile for Agile?
Parasoft
 
PDF
Software Development Metrics You Can Count On
Parasoft
 
PDF
Accelerating Mobile Testing
Parasoft
 
PDF
C/C++test Qualification Kit for DO-178B/C Compliance
Parasoft
 
PDF
Extreme Automation Enables DirecTV to ”Shift Left” API Testing
Parasoft
 
PDF
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
Parasoft
 
PPTX
How to Avoid Continuously Delivering Faulty Software
Parasoft
 
Testing a Microservices Architecture
Parasoft
 
Software Safety and Security Through Standards
Parasoft
 
MedicAlert API Testing Case Study
Parasoft
 
End-to-end Testing for IoT Integrity
Parasoft
 
Leveraging Static Analysis to Secure Software
Parasoft
 
Are Your Continuous Tests Too Fragile for Agile?
Parasoft
 
Software Development Metrics You Can Count On
Parasoft
 
Accelerating Mobile Testing
Parasoft
 
C/C++test Qualification Kit for DO-178B/C Compliance
Parasoft
 
Extreme Automation Enables DirecTV to ”Shift Left” API Testing
Parasoft
 
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
Parasoft
 
How to Avoid Continuously Delivering Faulty Software
Parasoft
 

Recently uploaded (20)

PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
July Patch Tuesday
Ivanti
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 

AppsSec In a DevOps World

  • 1. Application Security in a DevOps World Three Methods for Shifting Left
  • 2. One weak spot is all it takes
  • 3. Software Security Defined “Software security is the idea of engineering software so that it continues to function correctly under malicious attack.” “Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.” (Gary McGraw, Cigital) https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
  • 4. Agenda DevOps and DevSecOps or is it DevOpsSec Pen-testing Static analysis & Prevention Hybrid testing
  • 5. Risk management – OWASP style Prevalence Detectability Exploitability Impact
  • 7. Penetration Testing • Verify that security policy is working • Tests from the outside in • Variety of scenarios such as – Parameter fuzzing – Unexpected packets on the BUS – XML Bombs – Unauthorized Bluetooth – Unexpected TPMS
  • 8. IoT specifics • Multi-layered systems • Disparate technologies • Functionality spanning across many layers
  • 9. Effectiveness of Pen-testing • Labor intensive • Difficult to automate • Difficult to start early • Requires inter-team synchronization • Difficult to test error handlers • Failed tests do not provide precise information about failure points
  • 10. Static Analysis Pattern •Low false positives •Fast •Prevention Focus Flow •Real bugs •Complex issues •Mirror real use •Fix focus
  • 12. Purpose of Coding Standards • “Proven programming practices leading to safe, reliable, testable, and maintainable code” • “Address potentially unsafe language features, and provide programming rules to avoid those pitfalls” • “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
  • 13. Simple Prevention Process – an example Detect the error •Load testing shows leaking connections to the database Find the cause •Open connections aren’t being closed, causing resource leaks Locate the point in production that caused the error •Developer has forgotten to close db connections upon client termination Implement preventative process •Use a coding standard to ensure each open connection is closed before exit Monitor the process •Use static analysis to enforce the standard Add regression test •Add a test to see the problem was fixed and doesn’t return
  • 14. Coding Defensively: Validating inputs 9 paths through the code 3 entry points The Solution = validate inputs upon entry 4 potential vulnerabilities Validate Validate Validate
  • 15. Preventing SQL Injection String username = request.getParameter("USER"); String password = request.getParameter("PASSWORD"); String query = “SELECT * FROM Users WHERE username=‘” + username + "' AND password='" + password + "'"; Statement.execute(query); An attacker passes "' or 1=1" for username creating: SELECT * FROM Users WHERE username='' or 1=1 AND password='foo' Prevention: wrap input in validation: String username = validate(request.getParameter("USER")); String password = validate(request.getParameter("PASSWORD”));
  • 16. Selecting Static Analysis • Severity levels • Suppressions • Code based on age Handling of Integration with SCM Integration with BugTracking (internal & field) Integration with Peer review Analytics
  • 17. Hybrid Security Analysis - IAST • Penetration testing to automatically generate and run penetration attack scenarios • Runtime error detection to monitor the back- end during test execution to determine whether security is actually compromised • Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case
  • 19. How to do it better? • Use stubs, mocks and service virtualization to improve testing automation – Isolate at the message layer – Simulate functional scenarios and performance conditions
  • 20. Divide & Conquer with Service Virtualization Separate critical components Move testing earlier Isolate attack surfaces Run functional tests vs. security scenarios
  • 21. Security Cases with Service Virtualization Virtual Services SSL Certificates Acceptable/Unacceptable System Under Test Dependent Application Accounts Database Mainframe
  • 23. SQL Injection Malicious Response System Under Test Security Cases with Service Virtualization Virtual Services
  • 24. Conclusion • Standards and static analysis applied properly prevent errors • Integrated results provides control, measurement, and traceability • Cost of solid prevention methodology is less than the cost of dealing with bad software
  • 25. Security Resources CWE – Common Weakness Enumeration • http://cwe.mitre.org CERT - Secure Coding Guidelines • https://www.securecoding.cert.org Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov Parasoft • http://www.parasoft.com
  • 26. • Web – http://www.parasoft.com • IoT Hall-of-Shame – http://bit.ly/iotshame • Blog – http://alm.parasoft.com – http://codecurmudgeon.com •Social –Facebook: https://www.facebook.com/parasoftcorporation –Twitter: @Parasoft @CodeCurmudgeon –LinkedIn: http://www.linkedin.com/company/parasoft