Better Security Testing: Using the Cloud and Continuous Delivery
1 like342 views
The document outlines a maturity model for security testing in software development, emphasizing the importance of integrating security into the continuous integration and delivery processes. It highlights various levels of security testing, from no testing to full continuous delivery, and recommends using open-source tools to enhance security practices. The findings suggest that earlier security testing leads to better remediation outcomes and that leveraging cloud computing can provide significant opportunities for effective security testing.
Better Security Testing: Using the Cloud and Continuous Delivery
- 1. 1© Copyright 2013 Coveros, Inc. All rights reserved. Gene Gotimer, Senior Architect [email protected]
- 2. 2© Copyright 2013 Coveros, Inc. All rights reserved. Coveros helps organizations accelerate the delivery of business value through secure, reliable software About Coveros
- 3. 3© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing Late in the cycle Issues are not remediated Needs ROI: lower cost, better results, or both
- 4. 4© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing Consider open-source and free tools Opportunities in Continuous Delivery and Cloud Identify low effort opportunities using free and open-source tools
- 5. 5© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Integration Merge work frequently Code commits to source control Unit tests run automatically No long integration cycle at the end Fix code when we find problems Build-Test-Commit cycle = rapid feedback
- 6. 6© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Delivery Every build potentially releasable Release is a business decision Extrapolation of Continuous Integration – Deploys – Functional tests – Load and performance tests – Security tests Build-Test-Commit-Deploy-Test-Release cycle
- 7. 7© Copyright 2013 Coveros, Inc. All rights reserved. Cloud Computing Can’t wait for long procurement Public or Private clouds Works well with Continuous Delivery – Easy to deploy – New environments whenever
- 8. 8© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 9. 9© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 10. 10© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 11. 11© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis Unit Tests: – Confidence to make changes – Error handling – General logic errors – Bounds checking – Edge conditions
- 12. 12© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis Static Analysis: – Common errors – Unused variables – SQL injection – Cross-Site Scripting (XSS) – Hard-coded passwords
- 13. 13© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis Unit testing: JUnit for Java NUnit for .Net PyUnit for Python PHPUnit for PHP Static Analysis: Sonar for many languages PMD for Java FindBugs for Java PHPMD for PHP FxCop for .Net PyChecker for Python pylint for Python
- 14. 14© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 15. 15© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing Automated Deploys: – Frequent security scans – Rapid feedback – Web application scanners: w3af wapiti Skipfish – Start basic, add tuning
- 16. 16© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing Functional Testing: – Access control – Data protection – Web Application testing: Selenium
- 17. 17© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing Proxies: – Better coverage – XSS and Cross-Site Request Forgery (XSRF) – URLs for logs to augment spidering – Data leakage – Web application proxies: OWASP Zed Attack Proxy (ZAP) Project OWASP WebScarab Ratproxy
- 18. 18© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 19. 19© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management Deployment/Configuration: Puppet Chef Provisioning: Cobbler Kickstart Windows Deployment Services Completely new systems or build on templates Repeatable configuration management
- 20. 20© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management Complete system scans OpenVAS Nmap Nikto2
- 21. 21© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 22. 22© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments On-demand environments – Long running scans in parallel – Production-sized machines, even temporarily – Failover and high-availability Multiple client systems in parallel – Race conditions – Multi-user interactions
- 23. 23© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments Web performance testing frameworks: Apache Jmeter: Java-based UI • HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP, POP, IMAP ab, ApacheBench: command-line The Grinder: Jython and Clojure Gatling: Scala
- 24. 24© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing Level 0: No Security Testing Level 1: Unit Testing and Static Analysis Level 2: Automated Deploys and Functional Testing Level 3: Automated Configuration Management Level 4: Cloud Deployments Level 5: Continuous Delivery
- 25. 25© Copyright 2013 Coveros, Inc. All rights reserved. Level 5: Continuous Delivery Release ready for production Continuous deployment High levels of automation Dashboards – Custom development
- 26. 26© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience Agile development grew into Continuous Delivery Automated deploys with Puppet Selenium functional tests JMeter performance tests
- 27. 27© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience Security testing lagged Excuses: – The “official” tool is expensive. – It would take a lot of time to acquire and then to configure it. – We don’t have time. – It isn’t our responsibility. – The security team wouldn’t accept our scans anyway. Open-source tools Focus on security, not compliance Limited time
- 28. 28© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience Web application scans with w3af Vulnerability assessments with OpenVAS Security standards checks with Openscap Initial implementation ~ a day each No more freebies
- 29. 29© Copyright 2013 Coveros, Inc. All rights reserved. Conclusion Earlier security testing – Less likely to skip – More likely to remediate Open-source tools Other testing as foundation Gradually add more security tests Continuous Delivery and Cloud Computing give security testing opportunities
- 30. 30© Copyright 2013 Coveros, Inc. All rights reserved. Questions? Gene Gotimer Email: [email protected] Twitter: @CoverosGene