Add Security Testing Tools to Your Delivery Pipeline
Download as PPTX, PDF1 like313 views
The document outlines the importance of incorporating security testing tools into the software delivery pipeline to ensure that security issues are identified and remediated early in the development process. It emphasizes a proactive security approach, suggesting methods for testing and maintaining secure applications while highlighting the need for continual improvement in security practices. Additionally, it discusses the challenges of balancing security investments with the need for timely product releases.
Add Security Testing Tools to Your Delivery Pipeline
- 1. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene Add Security Testing Tools to Your Delivery Pipeline Gene Gotimer Senior Architect
- 2. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene About Coveros • Coveros builds security-critical applications using agile methods. • Coveros Services • Agile transformations • Agile development and testing • DevOps and continuous integration • Application security analysis • Agile & Security training • Government qualifications • DCAA approved rates and accounting • TS facility clearance Areas of Expertise
- 3. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene Select Clients
- 4. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene Security Testing
- 5. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene Information Security • Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. • The key concepts of information security include: • Confidentiality • Integrity • Availability • + Authenticity • + Non-Repudiation
- 6. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene Security Testing • Often put off until late or ignored completely Fix security issues and delay release? Release on time and accept security risks?
- 7. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene Return on Investment “Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.” -- Bruce Schneier, Schneier on Security https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
- 8. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene Security in the Delivery Pipeline
- 9. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene Security Tools “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” -- Bruce Schneier, Secrets & Lies
- 10. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene Security Testing Process 1. Use tools to help detect the obvious security problems 2. Remediate 3. Search for less obvious security problems 4. Repeat Better security process Fewer obvious security issues Better security Time to find less obvious security issues
- 11. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene Incorporate Security Testing Do just enough of each type of testing early in the pipeline to determine if further testing is justified.
- 12. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene Tools to Consider Adding to the Process
- 13. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene It is easier to protect less mvn dependency:tree mvn dependency:analyze mvn com.ning.maven.plugins: maven-dependency-versions-check-plugin
- 14. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene Poor quality code is harder to maintain … and harder to secure
- 15. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene Make sure your tests actually test
- 16. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene Keep libraries up-to-date
- 17. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene Negative testing User role testing … what should users not be able to do?
- 18. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene Use a proxy OWASP ZAP … and piggy-back on functional tests passive proxy active scanner fuzzer
- 19. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene Repeatable, reliable deployments … and test that through practice
- 20. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene Audit yourself
- 21. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene Scan the web application
- 22. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene Scan the web server configuration
- 23. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene Scan the system … before and after installing software
- 24. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 24@CoverosGene Scan all the systems … don’t forget the infrastructure
- 25. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 25@CoverosGene Keep packages up-to-date
- 26. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 26@CoverosGene Test performance … even if you just watch the trends
- 27. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 27@CoverosGene Test the database … for security and performance
- 28. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 28@CoverosGene Protect against hackers … even on development and test systems
- 29. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 29@CoverosGene Continuously improve A little better is still better. Keep improving. … and don’t expect perfectly secure
- 30. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 30@CoverosGene Find more tools
- 31. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 31@CoverosGene Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene