SlideShare a Scribd company logo

Automation of Security scanning easy or cheese

K
Katherine Golovinova

The document discusses security automation in application security testing, highlighting different methods such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) for identifying vulnerabilities. It emphasizes the challenge of false positives in security findings and proposes strategies for automation and integration into existing CI pipelines. Additionally, it provides useful links to tools and resources relevant to security testing and analysis.

Technology
Related topics:
Automated TestingSoftware Testing Insights
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1 Skype: florykian.karen EPAM Kharkiv Security Automation Easy or cheese by Karen Florykian Lead Performance Analyst
2 Application Security Testing Security assessment for routers, firewall, load balancers, switches, find network misconfiguration Infrastructure Scanning OS vulnerabilities, known vulnerabilities in images, evaluate the image against policies to check for security compliance. Container Scanning Dynamic application security testing Find security vulnerabilities in a running application, typically web apps. DAST Static Application Security Testing Catch security issues on early stages of code development, allows developers to find bugs in code SAST Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. Functional Security Automation
3 Security Automation 03 01 04 02 Speed Integrity Availability Visibility
4 Real Life 68 % False positive analysis 25 % 29 % 39 % 7 %
5 Real Life 85 % of findings are not real issues 25 % 29 % 39 % 7 %
6 Vision
7 Proof Of Concept • Integrated in existing CI pipeline or configured to be ran on self- service basis • Traffic created using existing tests • False Positives analysis can be partially automated using DefectDojo or ReportPortal capabilities
8 Project Pipeline
9 Under The SAST Hood
10
11 Grouping Jira service ReportPortal Jira Service Junit XML
12 Spidergetti Or Rainboweb Jira service ReportPortal Jira Service Junit XML
13 Canonical Data Model Jira service ReportPortal Jira Service Junit XML CDM
14 Auto-Analysis • Validate capabilities • Identify parameters to reduce duplicates • Create service with equals strategy • Contact to ReportPortal team to create custom analyzer service with equals strategy
15 Issue #1
16 Issue #2
17 We All Are Lazy VS OPEN FOR WEEKS BECAUSE IT IS NOT ACTIONABLE FIXED WITHIN THE WEEK IT APPEARED IN BACKLOG
18 Carrier carrier-io/sast: Tools for SAST Demo
19
20 Useful Links • SAST: https://github.com/carrier-io/sast • Docker Hub: https://hub.docker.com/r/getcarrier/sast • DAST: https://github.com/carrier-io/dast • Docker Hub: https://hub.docker.com/r/getcarrier/dast • DASTY ☺: https://github.com/carrier-io/dusty Library to execute various security tools and convert output to common unifiedformat • Carrier: https://hub.docker.com/u/getcarrier • ReportPortal Auto-Analysis equals service: https://github.com/reportportal/service-analyzer-equals
21 Thank You!Florykian Karen Lead Performance Analyst

More Related Content

PPTX
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PPTX
OTG - Practical Hands on VAPT
shiriskumar
 
PDF
Is av dead or just missing in action - avar2016
rajeshnikam
 
PPTX
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PDF
we45 - Web Application Security Testing Case Study
we45
 
PDF
Web Application Security Testing Tools
Eric Lai
 
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
OTG - Practical Hands on VAPT
shiriskumar
 
Is av dead or just missing in action - avar2016
rajeshnikam
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
we45 - Web Application Security Testing Case Study
we45
 
Web Application Security Testing Tools
Eric Lai
 

What's hot (19)

PPTX
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
PPS
Security testing
Tabăra de Testare
 
PDF
Sast 2021
Felix Dobslaw
 
PPTX
Security Testing
Qualitest
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PDF
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
PDF
Testing Web Application Security
Ted Husted
 
PPTX
Inside forti os-v524-r5
Lan & Wan Solutions
 
PPT
Zap attack proxy
Artem Vasilenko
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
PDF
Innovating Faster with Continuous Application Security
Jeff Williams
 
PPSX
CTAP
Lan & Wan Solutions
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PDF
Echelon_Sibcon-2016
Alexander Barabanov
 
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Security testing
Tabăra de Testare
 
Sast 2021
Felix Dobslaw
 
Security Testing
Qualitest
 
Security testing fundamentals
Cygnet Infotech
 
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Testing Web Application Security
Ted Husted
 
Inside forti os-v524-r5
Lan & Wan Solutions
 
Zap attack proxy
Artem Vasilenko
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Innovating Faster with Continuous Application Security
Jeff Williams
 
CTAP
Lan & Wan Solutions
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Get Ready for Web Application Security Testing
Alan Kan
 
Echelon_Sibcon-2016
Alexander Barabanov
 
Ad

Similar to Automation of Security scanning easy or cheese (20)

PPTX
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
PPTX
Security Automation: Easy or Cheese
Karen Florykian
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
PPTX
How to Use Static Application Security Testing for Web Applications.pptx
Dev Software
 
PPTX
How to Use Static Application Security Testing for Web Applications
Dev Software
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PDF
Datasheet app vulnerability_assess
Birodh Rijal
 
PDF
OpenText Vulnerability Assessment & Penetration Testing
Marc St-Pierre
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
PPTX
Cyber Security Solutions in Europe
Securityium
 
PDF
Vulnerability assessment-info-savvy
infosavvy
 
PDF
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
PDF
Which Security Testing Technique is Best for Testing Applications.pdf
Alpha BOLD
 
PDF
Day 3 p2 - security
Lilian Schaffer
 
PDF
Day 3 p2 - security
Lilian Schaffer
 
PDF
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
PPTX
Karunia Wijaya - Proactive Incident Handling
Indonesia Honeynet Chapter
 
PPTX
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
PPTX
Sept 2019 - DSO-LG Tooling Examples
Michael Man
 
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Security Automation: Easy or Cheese
Karen Florykian
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
How to Use Static Application Security Testing for Web Applications.pptx
Dev Software
 
How to Use Static Application Security Testing for Web Applications
Dev Software
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Datasheet app vulnerability_assess
Birodh Rijal
 
OpenText Vulnerability Assessment & Penetration Testing
Marc St-Pierre
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
Cyber Security Solutions in Europe
Securityium
 
Vulnerability assessment-info-savvy
infosavvy
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Which Security Testing Technique is Best for Testing Applications.pdf
Alpha BOLD
 
Day 3 p2 - security
Lilian Schaffer
 
Day 3 p2 - security
Lilian Schaffer
 
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
Karunia Wijaya - Proactive Incident Handling
Indonesia Honeynet Chapter
 
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
Sept 2019 - DSO-LG Tooling Examples
Michael Man
 
Ad

More from Katherine Golovinova (20)

PDF
Contract-based Testing Approach as a Tool for Shift Lef
Katherine Golovinova
 
PDF
Speed up application testing with azure container instances
Katherine Golovinova
 
PDF
Analyzing application activities with KSQL and Elasticsearch
Katherine Golovinova
 
PPTX
Testing Big Data solutions fast and furiously
Katherine Golovinova
 
PDF
"Fast & Fail in real life of DevTestSecOps"
Katherine Golovinova
 
PPTX
Geodistributed databases - what, how, and why?
Katherine Golovinova
 
PPTX
COSMOS DB - geodistributed database for anyone
Katherine Golovinova
 
PDF
Migrating from a monolith to microservices – is it worth it?
Katherine Golovinova
 
PDF
Azure Functions - the evolution of microservices platform or marketing gibber...
Katherine Golovinova
 
PPTX
Gatling and Page Object: a way to performance testing
Katherine Golovinova
 
PPTX
Gradle plugins for Test Automation
Katherine Golovinova
 
PPTX
Automation world under the DevTestSecOps umbrella
Katherine Golovinova
 
PPTX
"Disaster Recovery in Azure" by Viktor Kocherha
Katherine Golovinova
 
PPTX
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
Katherine Golovinova
 
PPTX
"Modern CI/CD" by Dmytro Batiievskyi
Katherine Golovinova
 
PPTX
EPAM DevOps community meetup: Building CI/CD for microservice architecture
Katherine Golovinova
 
PPTX
EPAM DevOps community meetup: Designing bare metal Kubernetes clusters
Katherine Golovinova
 
PDF
Hosting Microservices in Microsoft Azure
Katherine Golovinova
 
PDF
Infrastructure as Code for Azure: ARM or Terraform?
Katherine Golovinova
 
PDF
Azure IoT Hub: what is it and why we select other solution (production projec...
Katherine Golovinova
 
Contract-based Testing Approach as a Tool for Shift Lef
Katherine Golovinova
 
Speed up application testing with azure container instances
Katherine Golovinova
 
Analyzing application activities with KSQL and Elasticsearch
Katherine Golovinova
 
Testing Big Data solutions fast and furiously
Katherine Golovinova
 
"Fast & Fail in real life of DevTestSecOps"
Katherine Golovinova
 
Geodistributed databases - what, how, and why?
Katherine Golovinova
 
COSMOS DB - geodistributed database for anyone
Katherine Golovinova
 
Migrating from a monolith to microservices – is it worth it?
Katherine Golovinova
 
Azure Functions - the evolution of microservices platform or marketing gibber...
Katherine Golovinova
 
Gatling and Page Object: a way to performance testing
Katherine Golovinova
 
Gradle plugins for Test Automation
Katherine Golovinova
 
Automation world under the DevTestSecOps umbrella
Katherine Golovinova
 
"Disaster Recovery in Azure" by Viktor Kocherha
Katherine Golovinova
 
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
Katherine Golovinova
 
"Modern CI/CD" by Dmytro Batiievskyi
Katherine Golovinova
 
EPAM DevOps community meetup: Building CI/CD for microservice architecture
Katherine Golovinova
 
EPAM DevOps community meetup: Designing bare metal Kubernetes clusters
Katherine Golovinova
 
Hosting Microservices in Microsoft Azure
Katherine Golovinova
 
Infrastructure as Code for Azure: ARM or Terraform?
Katherine Golovinova
 
Azure IoT Hub: what is it and why we select other solution (production projec...
Katherine Golovinova
 

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Encapsulation theory and applications.pdf
gurumoop
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 

Automation of Security scanning easy or cheese