SlideShare a Scribd company logo

Automating Security Tests in Development with Docker

Gabriel Schuyler, profile picture
Gabriel Schuyler

The document discusses automating security tests in development using Docker, emphasizing the importance of shifting left in the software lifecycle to enhance security. It covers various tools, techniques, and the advantages of using containers for security testing, such as speed and efficiency. The presentation also highlights application-specific attacks and encourages developers to incorporate security practices into their continuous integration and deployment processes.

Technology
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Gabe Schuyler @gabe_sky LASCON 2022 Automating security tests in development with Docker (an introduction)
Gabe Schuyler LASCON 2022 @gabe_sky Who am I? Gabe Schuyler • Operations • Cybersecurity • Dev(Sec)Ops • Now: Wiz, Inc. • Past: Palo Alto Networks, PuppetLabs, Sony Playstation ...
Gabe Schuyler LASCON 2022 @gabe_sky Why bother? framing the problem • Use the same tools as attackers • An ounce of prevention • Shift-left • Developers know what to double-down on in an attack • Continuously shifting attacks -- don't just scan once and forget it • Avoid gating before production • Pen tests take weeks, a Docker run takes seconds
Gabe Schuyler LASCON 2022 @gabe_sky Containers in a very small nutshell • Tiny • Prepackaged • Single purpose • Virtual machines
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel app fi les ports
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms kernel app fi les ports
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down kernel attack fi les ports web server • Overview • Images • Volumes • Ports • Web apps • Attack platforms
Gabe Schuyler LASCON 2022 @gabe_sky Readme.txt relax, it's all here • Requirements • Commands to run • We're trying to help • "Pull requests welcome!"
Gabe Schuyler LASCON 2022 @gabe_sky Caveat haX0r you break it you bought it • Virtualize • Snapshot • Embrace destruction
Gabe Schuyler LASCON 2022 @gabe_sky Launching broad attacks it's not just for script kiddies • ZAProxy • nikto • Ask your developers what to try!
Gabe Schuyler LASCON 2022 @gabe_sky Application-specific attacks know your enemy • wpscan • SQLmap
Gabe Schuyler LASCON 2022 @gabe_sky Fuzzing what's that you say? • ff uf • wfuzz • API security
Gabe Schuyler LASCON 2022 @gabe_sky General purpose toolkits generic linux as a container • Kali • Some assembly required • Versatile • Docker fi les and layers
Gabe Schuyler LASCON 2022 @gabe_sky Continuous attack in the software lifecycle • Research • Development • Deployment • Production • Share results • Borrow knowledge
Gabe Schuyler LASCON 2022 @gabe_sky Where to start danger is my middle name • Web application • Basic attacks • Get fancy • Integrate into CICD • Integrate into monitoring
Q & A and Discussion Gabe Schuyler @gabe_sky LASCON 2022

More Related Content

PDF
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Gabriel Schuyler
 
PDF
2022 GrrCON Shifting Right with Policy as Code.pdf
Gabriel Schuyler
 
PDF
DevOpsCon 2015 - DevOps in Mobile Games
Andreas Katzig
 
PDF
Kernel Con 2022: Securing Cloud Native Workloads
Gabriel Schuyler
 
PDF
321 codeincontainer brewbox
Lino Telera
 
PDF
Building Top-Notch Androids SDKs
relayr
 
PDF
Android : How Do I Code Thee?
Viswanath J
 
PDF
Ohio Devfest - Visual Analysis with GCP
Wesley Workman
 
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Gabriel Schuyler
 
2022 GrrCON Shifting Right with Policy as Code.pdf
Gabriel Schuyler
 
DevOpsCon 2015 - DevOps in Mobile Games
Andreas Katzig
 
Kernel Con 2022: Securing Cloud Native Workloads
Gabriel Schuyler
 
321 codeincontainer brewbox
Lino Telera
 
Building Top-Notch Androids SDKs
relayr
 
Android : How Do I Code Thee?
Viswanath J
 
Ohio Devfest - Visual Analysis with GCP
Wesley Workman
 

Similar to Automating Security Tests in Development with Docker (20)

PDF
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
Marc Müller
 
PDF
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
Marc Müller
 
PPTX
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Jordan Yaker
 
PDF
Node.js for .NET Developers
David Neal
 
PPTX
Interop 2017 - Managing Containers in Production
Brian Gracely
 
PDF
Docker in pratice -chenyifei
dotCloud
 
KEY
SSJS, NoSQL, GAE and AppengineJS
Eugene Lazutkin
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
cadec-2017-golang
TiNguyn863920
 
PDF
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Conference
 
PDF
Lightweight Virtualization Docker in Practice
Docker, Inc.
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
Docker in Production: How RightScale Delivers Cloud Applications
RightScale
 
PPT
Getting Started with Docker
visual28
 
KEY
Get your Project back in Shape!
Joachim Tuchel
 
PDF
Greenfields tech decisions
Trent Hornibrook
 
PPTX
Building a REST API Microservice for the DevNet API Scavenger Hunt
Ashley Roach
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PPTX
Streamline Cloud-Native App Development Using CDEs​.pptx
Saeed Zarinfam
 
PPTX
SeaJUG 5 15-2018
Will Iverson
 
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
Marc Müller
 
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
Marc Müller
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Jordan Yaker
 
Node.js for .NET Developers
David Neal
 
Interop 2017 - Managing Containers in Production
Brian Gracely
 
Docker in pratice -chenyifei
dotCloud
 
SSJS, NoSQL, GAE and AppengineJS
Eugene Lazutkin
 
Security research over Windows #defcon china
Peter Hlavaty
 
cadec-2017-golang
TiNguyn863920
 
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Conference
 
Lightweight Virtualization Docker in Practice
Docker, Inc.
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
Docker in Production: How RightScale Delivers Cloud Applications
RightScale
 
Getting Started with Docker
visual28
 
Get your Project back in Shape!
Joachim Tuchel
 
Greenfields tech decisions
Trent Hornibrook
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Ashley Roach
 
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
Streamline Cloud-Native App Development Using CDEs​.pptx
Saeed Zarinfam
 
SeaJUG 5 15-2018
Will Iverson
 

More from Gabriel Schuyler (11)

PDF
2024 Kernelcon Attack and Defense of AI.pdf
Gabriel Schuyler
 
PDF
2023 BSides ATX Trending Attack and Defense.pdf
Gabriel Schuyler
 
PDF
Trends in Cloud Security Attack & Defense
Gabriel Schuyler
 
PDF
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Gabriel Schuyler
 
PDF
Dog Days of Devops 2022: Policy as Code
Gabriel Schuyler
 
PDF
fwd:cloudsec 2022: Shifting right with policy-as-code
Gabriel Schuyler
 
PDF
Hope 2022: Just Enough RFID Cloning to be Dangerous
Gabriel Schuyler
 
PPTX
ShmooCon 2022: RFID Key Cloning for Angry Bikers
Gabriel Schuyler
 
PDF
Cybersecurity in 2022
Gabriel Schuyler
 
PDF
Migrating Puppet 3 to 4 -- Code Changes
Gabriel Schuyler
 
PDF
IC3 -- Configuration Management 101
Gabriel Schuyler
 
2024 Kernelcon Attack and Defense of AI.pdf
Gabriel Schuyler
 
2023 BSides ATX Trending Attack and Defense.pdf
Gabriel Schuyler
 
Trends in Cloud Security Attack & Defense
Gabriel Schuyler
 
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Gabriel Schuyler
 
Dog Days of Devops 2022: Policy as Code
Gabriel Schuyler
 
fwd:cloudsec 2022: Shifting right with policy-as-code
Gabriel Schuyler
 
Hope 2022: Just Enough RFID Cloning to be Dangerous
Gabriel Schuyler
 
ShmooCon 2022: RFID Key Cloning for Angry Bikers
Gabriel Schuyler
 
Cybersecurity in 2022
Gabriel Schuyler
 
Migrating Puppet 3 to 4 -- Code Changes
Gabriel Schuyler
 
IC3 -- Configuration Management 101
Gabriel Schuyler
 

Recently uploaded (20)

PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation theory and applications.pdf
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KodekX | Application Modernization Development
KodekX
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Cloud computing and distributed systems.
kkkkkhan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

Automating Security Tests in Development with Docker

  • 1. Gabe Schuyler @gabe_sky LASCON 2022 Automating security tests in development with Docker (an introduction)
  • 2. Gabe Schuyler LASCON 2022 @gabe_sky Who am I? Gabe Schuyler • Operations • Cybersecurity • Dev(Sec)Ops • Now: Wiz, Inc. • Past: Palo Alto Networks, PuppetLabs, Sony Playstation ...
  • 3. Gabe Schuyler LASCON 2022 @gabe_sky Why bother? framing the problem • Use the same tools as attackers • An ounce of prevention • Shift-left • Developers know what to double-down on in an attack • Continuously shifting attacks -- don't just scan once and forget it • Avoid gating before production • Pen tests take weeks, a Docker run takes seconds
  • 4. Gabe Schuyler LASCON 2022 @gabe_sky Containers in a very small nutshell • Tiny • Prepackaged • Single purpose • Virtual machines
  • 5. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel
  • 6. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel app fi les ports
  • 7. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms kernel app fi les ports
  • 8. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down kernel attack fi les ports web server • Overview • Images • Volumes • Ports • Web apps • Attack platforms
  • 9. Gabe Schuyler LASCON 2022 @gabe_sky Readme.txt relax, it's all here • Requirements • Commands to run • We're trying to help • "Pull requests welcome!"
  • 10. Gabe Schuyler LASCON 2022 @gabe_sky Caveat haX0r you break it you bought it • Virtualize • Snapshot • Embrace destruction
  • 11. Gabe Schuyler LASCON 2022 @gabe_sky Launching broad attacks it's not just for script kiddies • ZAProxy • nikto • Ask your developers what to try!
  • 12. Gabe Schuyler LASCON 2022 @gabe_sky Application-specific attacks know your enemy • wpscan • SQLmap
  • 13. Gabe Schuyler LASCON 2022 @gabe_sky Fuzzing what's that you say? • ff uf • wfuzz • API security
  • 14. Gabe Schuyler LASCON 2022 @gabe_sky General purpose toolkits generic linux as a container • Kali • Some assembly required • Versatile • Docker fi les and layers
  • 15. Gabe Schuyler LASCON 2022 @gabe_sky Continuous attack in the software lifecycle • Research • Development • Deployment • Production • Share results • Borrow knowledge
  • 16. Gabe Schuyler LASCON 2022 @gabe_sky Where to start danger is my middle name • Web application • Basic attacks • Get fancy • Integrate into CICD • Integrate into monitoring
  • 17. Q & A and Discussion Gabe Schuyler @gabe_sky LASCON 2022