automating security in ci-cd pipelines · 2019. 10. 7. · dynamic application security testing...

Für externe Präsentationen bitte immer eine Titelfolie mit der Ressort-Farbe verwenden.

Automating Security in CI/CD PipelinesOur OWASP ZAP Journey

DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13

Agenda

2

1.

2.

3.

Who we are and what we do

A CI/CD pipeline and its security challenges

Dynamic Application Security Testing (DAST)


Who is DB Systel?


Security & Cloud are currently two of our main topics

4 DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13

But the cloud is just a tool. You have to use it the right way.

5

DevOps teams= using

CI/CD pipelines


Who is Team Application Security Specialists @ DB Systel?What we do...

Young & agile team implementing a security development lifecycle at DB Systel

DB Systel GmbH | André König | Application Security Specialists | 2019-06-076

Project-definition Evaluation

TechnicalDesign Implementation TestConcept

Typical steps in a software development project

Non-functional Requirements

Threat and Risk Analysis

Shared Security Services and Libraries

ArchitectureReview

Coding Guidelines

Security Tests

Security Kick-Off

Sourcecode Analysis

Design Guidelines

§ P

Reference Architectures Reference Implementations

Security services we offer for our projects

Standards & Guidelines Solutions Quality Assurance

…and why we do it:Attacks on web applications are on top of the list

7

SQLi:SQL Injection

Injecting database commands through e.g. unsanitized input fields on websites

LFI:Local File Inclusion

Accessing confidential server-side files like /etc/passwd through e.g. directory traversal

XSS:Cross-Site Scripting

Injecting script-code through e.g. unsanitized input fields on websites

RFI:Remote File Inclusion

Injecting remote files into the application through e.g. unsanitized input

PHPi:PHP Injection

Injecting PHP objects through unsanitizedinput to deserialization function

Source: ENISA Threat Landscape 2017


...and how we do it:We provide easy to integrate services for our project teams


People Process

Techno-logy

App. Dev. Business Unit

Project 1

Security Business Unit

Application Security Specialists

Application Security Specialists develop

security Service

Security service is provided in image

repository

Project integrates security service in CI

pipeline

Security service is applied on every

commit

Cloud zone of project x

Project xCI Pipeline

Image repository

SAST

Dependencychecker

DAST

pullimage

crea

te &

pus

h im

age

com

mit

code

SASTDependency

check Build IntegrateTest / DAST

Agenda

9

1.

2.

3.






10

Stage Security challenge Security control

Code Repository Vulnerable code (see previous slide) Static Application Security Testing (SAST) on application level

Integration Vulnerabilities in dependent libraries (same) Dependency Checker

Image Repository Vulnerable platform components (OS, Application Server, Database, ...)

Static Application Security Testing (SAST) on platform level

Running Application False negatives from all above, vulnerable configurations, ...


Code

Developer CodeRepository

CI/CDIntegration

Stage

ImageRepository

ContainerImage

CI/CDDeployment Stage

Running Application

Dependencies

SASTDependency

Checker

SASTDAST


Agenda

11

1.

2.

3.






A DAST Tool

n can perform automated security checks on a running application (i.e., in its dynamic context)

n uses well-known attack patterns for automated tests (e.g. SQL injection strings) in requests to the application

n compares the response of the application for different requests (attack patterns)

n deduces successful attacks from changes in the responses (e.g., output length)

n can also act as passive scanner for existing test sets, as intercepting proxy for manual pentesting, ...


Request account details:

Name:

https://webshop.xyz

Schmidt

https://webshop.xyz

Name Credit card

Schmidt 123 456 789

Request account details:

Name:

https://webshop.xyz

Schmidt‘ OR ‘1‘=‘1

https://webshop.xyz

Name Credit card

Albrecht 456 789 123

Arnold 789 123 456

… …

Zimmermann 987 654 321

SELECT * FROM accounts WHERE name=‘Schmidt‘

SELECT * FROM accounts WHERE name=‘Schmidt‘ OR ‘1‘=‘1‘

The OWASP Zed Attack Proxy (ZAP)

13

Source: owasp.org


High level setup:ZAP sits between browser and Web Application

Automated scanning can be as easy as this:

But: We typically need an authenticated contextBut: ...

Performing an automated scan on Webgoat using ZAP

14 DB Systel GmbH | Sebastian Biehler, André König, Tommaso Nuccio | Team Application Security Specialists | OpenRheinMain 2019 | 2019-09-13

A deeper look on integrating ZAPin a CI/CD pipeline

DAST process:n Perform passive scan to

learn site tree– Parameterize passive

scan with ZAP preparation client

– Launch regular application test suite

n Perform automated scan– Parameterize and

launch scan with ZAP API client

n Generate report with ZAP report client


ZAP preparation

client

ZAP API client

Parameterizes and launches

automated scan

Parameterizes passive scan

= ZAP Docker container

ZAP (headless

mode)

Application test suite (e.g.

Selenium tests)

Web application (web server)

= Application / Test Components

ZAP report client

GitLab

Gets scan results from ZAP, generates report, pushes report to GitLab

Code

Developer CodeRepository

CI/CDIntegration

Stage

ImageRepository

ContainerImage

CI/CDDeployment Stage

Running Application

Dependencies

SASTDependency

Checker

SASTDAST

ZAP preparation

client

ZAP API client

ZAP (headless

mode)

Application test suite (e.g.

Selenium tests)

Web application (web server)

ZAP report client

GitLab

Vulnerability management tool (e.g. Defect Dojo)

GRC tool(e.g. avedos)

ZAP export client

Outlook: Integration of DAST results in development and governance processes and tools

Performing security tests and pushing reports to Git does not fix the problems

n Development teams have to work with the results and must close vulnerabilities

n Security governance must manage risks and initiate measures on enterprise scale

We, thus, are building interfaces to integrate DAST results in

n Vulnerability management tools of development teams

n Risk / compliance management tools of CISO teams


„Vielen Dank für Ihre Aufmerksamkeit“ kann auch durch ein anderes Abschlusszitat oder eine Botschaft ersetzt werden.

Thank you for your attention

Please feel free to contact us:[email protected]@deutschebahn.comtommaso.nuccio@[email protected]

automating security in ci-cd pipelines · 2019. 10. 7. · dynamic application security testing...

Documents