automating security tests for continuous integration
TRANSCRIPT
![Page 1: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/1.jpg)
Automating Security Tests for Continuous Integration
Stephen de Vries @stephendv
www.continuumsecurity.net
![Page 2: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/2.jpg)
About Continuum Security
• Founded 2012• Services: Security Testing, BDD-Security jump start• Products: Securing the SDLC
– Open Source• BDD-Security Testing Framework• OWASP ZAP integration with JUnit• Nessus Java client API
– Commercial• IriusRisk Risk Management for Application Security: www.iriusrisk.com
![Page 3: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/3.jpg)
Security Testing
• Performed after build• Uses external testers• Process is opaque to
dev/opts
Unit/Integration/Functional Testing
• Performed during build• Owned by dev/test• Tests visible to the team
![Page 4: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/4.jpg)
Design Build Unit Tests
Integration Tests
AcceptanceTests Deploy
Development Pre-prod Production
Agile
• Short iterative cycles• Extensive automated testing• Low/zero cost to test• Tests can replace documentation
SecurityTesting
Waterfall
![Page 5: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/5.jpg)
Design Build Unit Tests
Integration Tests
AcceptanceTests Deploy
Development Pre-prod Production
Continuous Delivery with DevOps
• Automated delivery into pre-prod
• Automated acceptance tests
![Page 6: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/6.jpg)
Design Build Unit Tests
Integration Tests
AcceptanceTests Deploy
Development Pre-prod Production
Continuous Deployment with DevOps
SecurityTesting
• Etsy: 50+ deploys per day• Amazon: 300+ per hour• Gov.uk: 10+ deploys per day
![Page 7: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/7.jpg)
• Everyone is responsible for
• Move testing closer to the code
• Continuous automated testing
• Tests are visible to the team
quality
quality
security
securitysecurity
^
![Page 8: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/8.jpg)
DesignAuto. Security Tests
BuildIntegration TestsUnit
TestsAcceptance
Tests Deploy
Development Pre-prod Production
Continuous Deployment with SecDevOps: Blocking tests
Manual Security Tests
![Page 9: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/9.jpg)
Design Build Integration TestsUnit Tests
AcceptanceTests Deploy
Development Pre-prod Production
Continuous Deployment with Semi-SecDevOps: Parallel tests
Manual Security Tests
Auto. Security Tests
![Page 10: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/10.jpg)
Who owns the security tests?
A) Security team
• Benefits of automation• Fast feedback• Poor collaboration• Lack of ownership by DevOps
![Page 11: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/11.jpg)
Who owns the security tests?
B) DevOps team with oversight by Security
• Better collaboration• More sense of ownership of security• Good stepping stone to…
![Page 12: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/12.jpg)
Who owns the security tests?
SecDev
OpsC) Sec + Dev + Ops in a cross-functional team
• Security testing is our problem• We have the tools and skills to manage it
![Page 13: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/13.jpg)
Automated Security Tests should:
• return either a pass or fail result• execute quickly (similar to acceptance tests)• test infrastructure and application tiers• test functional security features, e.g. Login, Password Reset• capture manual testing processes and automate them,
i.e. security regression tests• be checked into version control along with the code• be understandable by the whole team
![Page 14: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/14.jpg)
BDD-Security Testing Framework
https://github.com/continuumsecurity/bdd-security
BDD-Security = JBehave +
OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications
Selenium +
![Page 15: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/15.jpg)
Infrastructure Security Testing
![Page 16: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/16.jpg)
![Page 17: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/17.jpg)
![Page 18: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/18.jpg)
Application Security Testing
![Page 19: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/19.jpg)
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP
![Page 20: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/20.jpg)
Selenium
ZAP
API
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAPAutomated
^
BDD-Security
![Page 21: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/21.jpg)
![Page 22: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/22.jpg)
![Page 23: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/23.jpg)
Functional Security Tests
![Page 24: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/24.jpg)
Integrating with Jenkins• Configuration• Test run
![Page 25: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/25.jpg)
Summary
• Security testing is just another form of software testing• Automate as much as possible for faster feedback• Security Tests can be treated as security requirements
• Self Verifying Requirements!• Tests written in a BDD language foster collaboration between
sec, dev and ops• Automated Security tests should include more than just
scanning
![Page 26: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/26.jpg)
Other related tools
• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver
• Guantlet (Ruby) http://gauntlt.org/
• OWASP ZAP Jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin
![Page 27: Automating security tests for Continuous Integration](https://reader030.vdocuments.us/reader030/viewer/2022032501/55b6e3f6bb61eb6c268b47e4/html5/thumbnails/27.jpg)
Thank you
www.continuumsecurity.net@stephendv