SlideShare a Scribd company logo
Including security in devops
DevOpsCH
21/01/2016 – Jérémy MATOS
whois securingapps
Developer background
Spent last 10 years working between Geneva and Lausanne
implementing and deploying security products and solutions
Focus on mobile since 2010
Now software security consultant at my own company
http://www.securingapps.com
Provide services to build security in software
Mobile
Web
Cloud
Internet Of Things
https://twitter.com/securingapps
Introduction
Security is often out of scope in the DevOps initiatives
Historically security is in the hands of the operations
Emphasis on network infrastructure
Keep the bad guy out
Firewall (DMZ, vlans), Reverse proxy (WAF), Intrusion Detection System (IDS), etc…
Fine tuning OS/database configurations
If bad guy can still enter, reduce impact
Disabling features, patching, access right policies, audit logging, encryption, etc…
Application security not always addressed in the SDLC
Security strategy in the organisation
Chief Information Security Officer (CISO) often
Has no practical experience in dev, nor control on the dev team
Considers software as a black box
Can only recommend to comply with generic safe coding guidelines
Buys stuff for sysadmins and asks them to fill the gaps
Those extra security integration steps
Slow down deployment
Cause bugs only in production because of stricter config
Lead to issues difficult to fix by sysadmins only
Business often pushes to get lowest acceptable security level:
Demonstrate the organisation somehow cares about security in
case things turn bad
Building security in
OWASP Software Assurance Security Model
REQUIREMENTS
AND
USE CASES
ARCHITECTURE
AND
DESIGN
CODE
TESTS
AND
TEST
RESULTS
OPERATIONS
/
SERVICE
DELIVERY
Vulnerability
Management
Environment
Hardening
Operational
Enablement
Security
Requirements
Security Standards
& Guidelines
Secure
Architecture
Attack Models &
Threat Assessment
Penetration
Testing
Code
Review
Security
Testing
Architecture &
Design Analysis
Penetration testing: automated tools
Pen testers first rely on automated tools to have an idea where
to look at
Script kiddies only rely on those free tools
Well, run those tools in the continuous integration loop ! e.g.
ZAP : Vulnerability finder for web applications
Sqlmap : SQL injection detection
Get rather good coverage on basic web attacks
Pentesters will be paid to find higher value issues
Script kiddies will problably give up and switch to another target
You won’t get hacked because of a basic mistake
Penetration testing: OWASP ZAP
Java GUI tool
Can be instrumented using
Java, e.g. Jenkins Plugin
Automatically crawls a
webapp and test
common vulnerabilities
Scan time may vary from
seconds to hours
There are false positives !
Yellow (and even orange) findings are not really significant
Penetration testing: sqlmap
Great python CLI tool
Automatically test very
complex SQL attacks
Detects database type
and adapt injections
Expects a url with
parameters
Really useful to validate the findings of ZAP concerning SQL
Penetration testing: challenges
Lots of findings to manage
Not anymore a point in time assessment with few points to address
Reports must be processed automatically
1 issue = 1 entry in bug tracking does not scale (false positives…)
Issues must have a good identifier to be tracked over time
Do not switch to the least effort mode
Application security errors (e.g. XSS, SQLi) must be fixed in code
Do not rely on a workaround in the server config
Write a unit test
Test application in both environments
Standalone to discover as many errors as possible
Hardened environment to ensure countermeasures are effective
Review application & environment logs to check alerts are usable
Code review
Static Appliction Security Testing (SAST):
Scan source code to look for dangerous constructions
Integration is generally straightforward as pure dev question
Most solutions, and particularly free ones, are better at identifying quality
issues than real security problems
Generally poor results on dynamic languages (e.g. javascript, PHP…)
Sonar feedback is still useful
Same challenges than automated pentesting (DAST)
Many issues to address
Customizing rules is key to reduce false positive rate
Security rules need to be updated regurlarly to keep up with
attacks and new frameworks/libraries
New rules => new issues, but on old code
Security testing
If you have implemetend or integrated security features, they
should be automatically tested
Use case to check legitimate logic/data is indeed accepted
Abuse case to confirm invalid logic/data is refused
Whenever possible, consider writing unit tests
If impossible, setup an integration test
Examples of possible unit tests for a JWT authentication
Change any field of a valid token and expect a signature error
Remove signature from JSON payload and expect a signature error
Move time in past or future and check behavior for Not before,
Expiration time and Issued at fields
A vulnerability is fixed with a unit or integration test proving it
Deployment
Vulnerability management
For your infrastructure: vulnerability scanner
Nessus Home free, but not for commercial usage
For your software: keep dependencies up to date
OWASP dependency check
Be careful with javascript hosted on CDN
Subresource Integrity recently introduced by W3C can help
Your automated tests should enable you to update 3rd party code transparently
Environment hardening
Great guide (in French) from ANSSI to secure GNU Linux
Include those recommandations in your Docker/VM images
Conclusion
Security is both a matter of dev and ops
Security features are features and hence should be
automatically tested
Free and automated application security tools are available:
why not include them in the continuous deployment pipeline ?
Yet continuous integration tools are not particularly secure
Continous Intrusion: Why CI tools are an attacker’s best friends
Watch out your deployment
Pay great attention if accessible from outside your LAN
Thank you !
Any question
contact@securingapps.com

More Related Content

What's hot (20)

PPT
Survey Presentation About Application Security
Nicholas Davis
 
PDF
Avoiding the security brick
Equal Experts
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
PDF
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
BeyondTrust
 
PPTX
Effective Vulnerability Management
Vicky Ames
 
PPT
Running Java safely
Jane Prusakova
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PDF
Implementing Vulnerability Management
Argyle Executive Forum
 
PDF
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
PPTX
Assess all the things
Jerod Brennen
 
PDF
Analyzing the Effectivess of Web Application Firewalls
Larry Suto
 
PDF
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
PDF
OSB130 Patch Management Best Practices
Ivanti
 
PPTX
2016 virus bulletin
Adrian Sanabria
 
PPTX
Web Application Vulnerability Management
jpubal
 
PDF
Patch and Vulnerability Management
Marcelo Martins
 
PPTX
Secure Software Development Lifecycle
1&1
 
PPTX
Introduction to security testing
Nagasahas DS
 
PPTX
Automating Web Applications Security Assessments Through Scanners
nfteodoro
 
PPTX
Secure develpment 2014
Ariel Evans
 
Survey Presentation About Application Security
Nicholas Davis
 
Avoiding the security brick
Equal Experts
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
BeyondTrust
 
Effective Vulnerability Management
Vicky Ames
 
Running Java safely
Jane Prusakova
 
The Journey to DevSecOps
SeniorStoryteller
 
Implementing Vulnerability Management
Argyle Executive Forum
 
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
Assess all the things
Jerod Brennen
 
Analyzing the Effectivess of Web Application Firewalls
Larry Suto
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
OSB130 Patch Management Best Practices
Ivanti
 
2016 virus bulletin
Adrian Sanabria
 
Web Application Vulnerability Management
jpubal
 
Patch and Vulnerability Management
Marcelo Martins
 
Secure Software Development Lifecycle
1&1
 
Introduction to security testing
Nagasahas DS
 
Automating Web Applications Security Assessments Through Scanners
nfteodoro
 
Secure develpment 2014
Ariel Evans
 

Similar to Including security in devops (20)

PDF
AppSec in an Agile World
David Lindner
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
PDF
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
PDF
Web Security... Level Up
Izzet Mustafaiev
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
Rich Mills
 
PDF
The Future of Software Security Assurance
Rafal Los
 
PPT
Software Security Engineering
Marco Morana
 
ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PDF
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
PDF
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
PPTX
Integrating security into the application development process
Jerod Brennen
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Agile Secure Development
Bosnia Agile
 
PPTX
Web security – everything we know is wrong cloud version
Eoin Keary
 
PPTX
Securing the continuous integration
Irene Michlin
 
AppSec in an Agile World
David Lindner
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Web Security... Level Up
Izzet Mustafaiev
 
ProdSec: A Technical Approach
Jeremy Brown
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
Rich Mills
 
The Future of Software Security Assurance
Rafal Los
 
Software Security Engineering
Marco Morana
 
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
Integrating security into the application development process
Jerod Brennen
 
Application Security - Your Success Depends on it
WSO2
 
Agile Secure Development
Bosnia Agile
 
Web security – everything we know is wrong cloud version
Eoin Keary
 
Securing the continuous integration
Irene Michlin
 
Ad

Recently uploaded (20)

PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PPTX
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
PPTX
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PPTX
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PPTX
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
PPTX
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Ad

Including security in devops

  • 1. Including security in devops DevOpsCH 21/01/2016 – Jérémy MATOS
  • 2. whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne implementing and deploying security products and solutions Focus on mobile since 2010 Now software security consultant at my own company http://www.securingapps.com Provide services to build security in software Mobile Web Cloud Internet Of Things https://twitter.com/securingapps
  • 3. Introduction Security is often out of scope in the DevOps initiatives Historically security is in the hands of the operations Emphasis on network infrastructure Keep the bad guy out Firewall (DMZ, vlans), Reverse proxy (WAF), Intrusion Detection System (IDS), etc… Fine tuning OS/database configurations If bad guy can still enter, reduce impact Disabling features, patching, access right policies, audit logging, encryption, etc… Application security not always addressed in the SDLC
  • 4. Security strategy in the organisation Chief Information Security Officer (CISO) often Has no practical experience in dev, nor control on the dev team Considers software as a black box Can only recommend to comply with generic safe coding guidelines Buys stuff for sysadmins and asks them to fill the gaps Those extra security integration steps Slow down deployment Cause bugs only in production because of stricter config Lead to issues difficult to fix by sysadmins only Business often pushes to get lowest acceptable security level: Demonstrate the organisation somehow cares about security in case things turn bad
  • 5. Building security in OWASP Software Assurance Security Model REQUIREMENTS AND USE CASES ARCHITECTURE AND DESIGN CODE TESTS AND TEST RESULTS OPERATIONS / SERVICE DELIVERY Vulnerability Management Environment Hardening Operational Enablement Security Requirements Security Standards & Guidelines Secure Architecture Attack Models & Threat Assessment Penetration Testing Code Review Security Testing Architecture & Design Analysis
  • 6. Penetration testing: automated tools Pen testers first rely on automated tools to have an idea where to look at Script kiddies only rely on those free tools Well, run those tools in the continuous integration loop ! e.g. ZAP : Vulnerability finder for web applications Sqlmap : SQL injection detection Get rather good coverage on basic web attacks Pentesters will be paid to find higher value issues Script kiddies will problably give up and switch to another target You won’t get hacked because of a basic mistake
  • 7. Penetration testing: OWASP ZAP Java GUI tool Can be instrumented using Java, e.g. Jenkins Plugin Automatically crawls a webapp and test common vulnerabilities Scan time may vary from seconds to hours There are false positives ! Yellow (and even orange) findings are not really significant
  • 8. Penetration testing: sqlmap Great python CLI tool Automatically test very complex SQL attacks Detects database type and adapt injections Expects a url with parameters Really useful to validate the findings of ZAP concerning SQL
  • 9. Penetration testing: challenges Lots of findings to manage Not anymore a point in time assessment with few points to address Reports must be processed automatically 1 issue = 1 entry in bug tracking does not scale (false positives…) Issues must have a good identifier to be tracked over time Do not switch to the least effort mode Application security errors (e.g. XSS, SQLi) must be fixed in code Do not rely on a workaround in the server config Write a unit test Test application in both environments Standalone to discover as many errors as possible Hardened environment to ensure countermeasures are effective Review application & environment logs to check alerts are usable
  • 10. Code review Static Appliction Security Testing (SAST): Scan source code to look for dangerous constructions Integration is generally straightforward as pure dev question Most solutions, and particularly free ones, are better at identifying quality issues than real security problems Generally poor results on dynamic languages (e.g. javascript, PHP…) Sonar feedback is still useful Same challenges than automated pentesting (DAST) Many issues to address Customizing rules is key to reduce false positive rate Security rules need to be updated regurlarly to keep up with attacks and new frameworks/libraries New rules => new issues, but on old code
  • 11. Security testing If you have implemetend or integrated security features, they should be automatically tested Use case to check legitimate logic/data is indeed accepted Abuse case to confirm invalid logic/data is refused Whenever possible, consider writing unit tests If impossible, setup an integration test Examples of possible unit tests for a JWT authentication Change any field of a valid token and expect a signature error Remove signature from JSON payload and expect a signature error Move time in past or future and check behavior for Not before, Expiration time and Issued at fields A vulnerability is fixed with a unit or integration test proving it
  • 12. Deployment Vulnerability management For your infrastructure: vulnerability scanner Nessus Home free, but not for commercial usage For your software: keep dependencies up to date OWASP dependency check Be careful with javascript hosted on CDN Subresource Integrity recently introduced by W3C can help Your automated tests should enable you to update 3rd party code transparently Environment hardening Great guide (in French) from ANSSI to secure GNU Linux Include those recommandations in your Docker/VM images
  • 13. Conclusion Security is both a matter of dev and ops Security features are features and hence should be automatically tested Free and automated application security tools are available: why not include them in the continuous deployment pipeline ? Yet continuous integration tools are not particularly secure Continous Intrusion: Why CI tools are an attacker’s best friends Watch out your deployment Pay great attention if accessible from outside your LAN