SlideShare a Scribd company logo

Better Security Testing: Using the Cloud and Continuous Delivery

Coveros, Inc., profile picture
Coveros, Inc.

The document outlines security testing strategies and maturity models, emphasizing the importance of integrating security at various levels of the software delivery process. It discusses methods from unit testing to continuous delivery, along with recommended open-source tools for each level. The conclusion highlights that earlier security testing increases the likelihood of remediation and suggests leveraging continuous delivery and cloud computing for improved security testing opportunities.

Software
Related topics:
Software Testing InsightsInsights on Software Development agile-software-development
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1© Copyright 2013 Coveros, Inc. All rights reserved. Gene Gotimer, Senior Architect gene.gotimer@coveros.com
2© Copyright 2013 Coveros, Inc. All rights reserved.  Coveros helps organizations accelerate the delivery of business value through secure, reliable software About Coveros
3© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing  Late in the cycle  Issues are not remediated  Needs ROI: lower cost, better results, or both
4© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing  Consider open-source and free tools  Opportunities in Continuous Delivery and Cloud Identify low effort opportunities using free and open-source tools
5© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Integration  Merge work frequently  Code commits to source control  Unit tests run automatically  No long integration cycle at the end  Fix code when we find problems  Build-Test-Commit cycle = rapid feedback
6© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Delivery  Every build potentially releasable  Release is a business decision  Extrapolation of Continuous Integration – Deploys – Functional tests – Load and performance tests – Security tests  Build-Test-Commit-Deploy-Test-Release cycle
7© Copyright 2013 Coveros, Inc. All rights reserved. Cloud Computing  Can’t wait for long procurement  Public or Private clouds  Works well with Continuous Delivery – Easy to deploy – New environments whenever
8© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
9© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
10© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
11© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Unit Tests: – Confidence to make changes – Error handling – General logic errors – Bounds checking – Edge conditions
12© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Static Analysis: – Common errors – Unused variables – SQL injection – Cross-Site Scripting (XSS) – Hard-coded passwords
13© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Unit testing:  JUnit for Java  NUnit for .Net  PyUnit for Python  PHPUnit for PHP  Static Analysis:  Sonar for many languages  PMD for Java  FindBugs for Java  PHPMD for PHP  FxCop for .Net  PyChecker for Python  pylint for Python
14© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
15© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Automated Deploys: – Frequent security scans – Rapid feedback – Web application scanners:  w3af  wapiti  Skipfish – Start basic, add tuning
16© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Functional Testing: – Access control – Data protection – Web Application testing:  Selenium
17© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Proxies: – Better coverage – XSS and Cross-Site Request Forgery (XSRF) – URLs for logs to augment spidering – Data leakage – Web application proxies:  OWASP Zed Attack Proxy (ZAP) Project  OWASP WebScarab  Ratproxy
18© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
19© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management  Deployment/Configuration:  Puppet  Chef  Provisioning:  Cobbler  Kickstart  Windows Deployment Services  Completely new systems or build on templates  Repeatable configuration management
20© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management  Complete system scans  OpenVAS  Nmap  Nikto2
21© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
22© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments  On-demand environments – Long running scans in parallel – Production-sized machines, even temporarily – Failover and high-availability  Multiple client systems in parallel – Race conditions – Multi-user interactions
23© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments  Web performance testing frameworks:  Apache Jmeter: Java-based UI • HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP, POP, IMAP  ab, ApacheBench: command-line  The Grinder: Jython and Clojure  Gatling: Scala
24© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
25© Copyright 2013 Coveros, Inc. All rights reserved. Level 5: Continuous Delivery  Release ready for production  Continuous deployment  High levels of automation  Dashboards – Custom development
26© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Agile development grew into Continuous Delivery  Automated deploys with Puppet  Selenium functional tests  JMeter performance tests
27© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Security testing lagged  Excuses: – The “official” tool is expensive. – It would take a lot of time to acquire and then to configure it. – We don’t have time. – It isn’t our responsibility. – The security team wouldn’t accept our scans anyway.  Open-source tools  Focus on security, not compliance  Limited time
28© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Web application scans with w3af  Vulnerability assessments with OpenVAS  Security standards checks with Openscap  Initial implementation ~ a day each  No more freebies
29© Copyright 2013 Coveros, Inc. All rights reserved. Conclusion  Earlier security testing – Less likely to skip – More likely to remediate  Open-source tools  Other testing as foundation  Gradually add more security tests  Continuous Delivery and Cloud Computing give security testing opportunities
30© Copyright 2013 Coveros, Inc. All rights reserved. Questions? Gene Gotimer Email: gene.gotimer@coveros.com Twitter: @CoverosGene

More Related Content

PPTX
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
PDF
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
PDF
System Event Monitoring for Active Authentication
Coveros, Inc.
 
PDF
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
PDF
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
PDF
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
System Event Monitoring for Active Authentication
Coveros, Inc.
 
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 

What's hot (20)

PPT
Securing Apache Web Servers
Information Technology
 
PDF
Building Security in Using CI
Coveros, Inc.
 
PDF
Increasing Quality with DevOps
Coveros, Inc.
 
PPT
Code Quality - Security
sedukull
 
PPTX
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPTX
Test parallelization using Jenkins
Rogue Wave Software
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PDF
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PPTX
Legal and Practical Concerns with Software Development
Rogue Wave Software
 
Securing Apache Web Servers
Information Technology
 
Building Security in Using CI
Coveros, Inc.
 
Increasing Quality with DevOps
Coveros, Inc.
 
Code Quality - Security
sedukull
 
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Test parallelization using Jenkins
Rogue Wave Software
 
Integrating security into Continuous Delivery
Tom Stiehm
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
SecDevOps: The New Black of IT
CloudPassage
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Legal and Practical Concerns with Software Development
Rogue Wave Software
 
Ad

Similar to Better Security Testing: Using the Cloud and Continuous Delivery (20)

PPTX
Service Virtualization: Delivering Complex Test Environments on Demand
Erika Barron
 
DOCX
UpdatedProfile
Radhika Subburaju
 
DOCX
Faq
Anu j
 
PPTX
(Agile) engineering best practices - What every project manager should know
Richard Cheng
 
PDF
Agile Engineering Best Practices by Richard Cheng
Excella
 
PDF
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
PPTX
Agile Engineering Sparker GLASScon 2015
Stephen Ritchie
 
PDF
Continuous Delivery in a Legacy Shop - One Step at a Time
Coveros, Inc.
 
PPTX
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
PDF
Pragmatic Pipeline Security
James Wickett
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PDF
Playwright, Cypress, or TestGrid: A Feature-by-Feature Breakdown for Test Aut...
Shubham Joshi
 
PDF
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
PDF
Tune your App Perf (and get fit for summer)
Sqreen
 
PPTX
Testing concepts
sangamesh kumbar
 
PPTX
Cyber security - It starts with the embedded system
Rogue Wave Software
 
PPT
Muves3 Elastic Grid Java One2009 Final
Elastic Grid, LLC.
 
PDF
Cloud testing: challenges and opportunities, TaaS, Integration Testing
Dr Ganesh Iyer
 
PPTX
Serena Webcast: Accelerating Application Delivery with Continuous Testing
Serena Software
 
PPTX
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Service Virtualization: Delivering Complex Test Environments on Demand
Erika Barron
 
UpdatedProfile
Radhika Subburaju
 
Faq
Anu j
 
(Agile) engineering best practices - What every project manager should know
Richard Cheng
 
Agile Engineering Best Practices by Richard Cheng
Excella
 
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
Agile Engineering Sparker GLASScon 2015
Stephen Ritchie
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Coveros, Inc.
 
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Pragmatic Pipeline Security
James Wickett
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Playwright, Cypress, or TestGrid: A Feature-by-Feature Breakdown for Test Aut...
Shubham Joshi
 
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
Tune your App Perf (and get fit for summer)
Sqreen
 
Testing concepts
sangamesh kumbar
 
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Muves3 Elastic Grid Java One2009 Final
Elastic Grid, LLC.
 
Cloud testing: challenges and opportunities, TaaS, Integration Testing
Dr Ganesh Iyer
 
Serena Webcast: Accelerating Application Delivery with Continuous Testing
Serena Software
 
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Ad

More from Coveros, Inc. (8)

PDF
Which Development Metrics Should I Watch?
Coveros, Inc.
 
PDF
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
PDF
Create Disposable Test Environments with Vagrant and Puppet
Coveros, Inc.
 
PPTX
DevOps in a Regulated and Embedded Environment (AgileDC)
Coveros, Inc.
 
PDF
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Coveros, Inc.
 
PPTX
Tests Your Pipeline Might Be Missing
Coveros, Inc.
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Coveros, Inc.
 
PDF
Web Application Security Testing: Kali Linux Is the Way to Go
Coveros, Inc.
 
Which Development Metrics Should I Watch?
Coveros, Inc.
 
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
Create Disposable Test Environments with Vagrant and Puppet
Coveros, Inc.
 
DevOps in a Regulated and Embedded Environment (AgileDC)
Coveros, Inc.
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Coveros, Inc.
 
Tests Your Pipeline Might Be Missing
Coveros, Inc.
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Coveros, Inc.
 
Web Application Security Testing: Kali Linux Is the Way to Go
Coveros, Inc.
 

Recently uploaded (20)

PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
System and Network Administration Chapter 2
jaramharo
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Introduction to Artificial Intelligence
lohedi9363
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
AI in Product Development-omnex systems
omnex systems
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 

Better Security Testing: Using the Cloud and Continuous Delivery

  • 1. 1© Copyright 2013 Coveros, Inc. All rights reserved. Gene Gotimer, Senior Architect gene.gotimer@coveros.com
  • 2. 2© Copyright 2013 Coveros, Inc. All rights reserved.  Coveros helps organizations accelerate the delivery of business value through secure, reliable software About Coveros
  • 3. 3© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing  Late in the cycle  Issues are not remediated  Needs ROI: lower cost, better results, or both
  • 4. 4© Copyright 2013 Coveros, Inc. All rights reserved. Security Testing  Consider open-source and free tools  Opportunities in Continuous Delivery and Cloud Identify low effort opportunities using free and open-source tools
  • 5. 5© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Integration  Merge work frequently  Code commits to source control  Unit tests run automatically  No long integration cycle at the end  Fix code when we find problems  Build-Test-Commit cycle = rapid feedback
  • 6. 6© Copyright 2013 Coveros, Inc. All rights reserved. Continuous Delivery  Every build potentially releasable  Release is a business decision  Extrapolation of Continuous Integration – Deploys – Functional tests – Load and performance tests – Security tests  Build-Test-Commit-Deploy-Test-Release cycle
  • 7. 7© Copyright 2013 Coveros, Inc. All rights reserved. Cloud Computing  Can’t wait for long procurement  Public or Private clouds  Works well with Continuous Delivery – Easy to deploy – New environments whenever
  • 8. 8© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 9. 9© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 10. 10© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 11. 11© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Unit Tests: – Confidence to make changes – Error handling – General logic errors – Bounds checking – Edge conditions
  • 12. 12© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Static Analysis: – Common errors – Unused variables – SQL injection – Cross-Site Scripting (XSS) – Hard-coded passwords
  • 13. 13© Copyright 2013 Coveros, Inc. All rights reserved. Level 1: Unit Testing and Static Analysis  Unit testing:  JUnit for Java  NUnit for .Net  PyUnit for Python  PHPUnit for PHP  Static Analysis:  Sonar for many languages  PMD for Java  FindBugs for Java  PHPMD for PHP  FxCop for .Net  PyChecker for Python  pylint for Python
  • 14. 14© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 15. 15© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Automated Deploys: – Frequent security scans – Rapid feedback – Web application scanners:  w3af  wapiti  Skipfish – Start basic, add tuning
  • 16. 16© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Functional Testing: – Access control – Data protection – Web Application testing:  Selenium
  • 17. 17© Copyright 2013 Coveros, Inc. All rights reserved. Level 2: Automated Deploys and Functional Testing  Proxies: – Better coverage – XSS and Cross-Site Request Forgery (XSRF) – URLs for logs to augment spidering – Data leakage – Web application proxies:  OWASP Zed Attack Proxy (ZAP) Project  OWASP WebScarab  Ratproxy
  • 18. 18© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 19. 19© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management  Deployment/Configuration:  Puppet  Chef  Provisioning:  Cobbler  Kickstart  Windows Deployment Services  Completely new systems or build on templates  Repeatable configuration management
  • 20. 20© Copyright 2013 Coveros, Inc. All rights reserved. Level 3: Automated Configuration Management  Complete system scans  OpenVAS  Nmap  Nikto2
  • 21. 21© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 22. 22© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments  On-demand environments – Long running scans in parallel – Production-sized machines, even temporarily – Failover and high-availability  Multiple client systems in parallel – Race conditions – Multi-user interactions
  • 23. 23© Copyright 2013 Coveros, Inc. All rights reserved. Level 4: Cloud Deployments  Web performance testing frameworks:  Apache Jmeter: Java-based UI • HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP, POP, IMAP  ab, ApacheBench: command-line  The Grinder: Jython and Clojure  Gatling: Scala
  • 24. 24© Copyright 2013 Coveros, Inc. All rights reserved. Maturity Model for Security Testing  Level 0: No Security Testing  Level 1: Unit Testing and Static Analysis  Level 2: Automated Deploys and Functional Testing  Level 3: Automated Configuration Management  Level 4: Cloud Deployments  Level 5: Continuous Delivery
  • 25. 25© Copyright 2013 Coveros, Inc. All rights reserved. Level 5: Continuous Delivery  Release ready for production  Continuous deployment  High levels of automation  Dashboards – Custom development
  • 26. 26© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Agile development grew into Continuous Delivery  Automated deploys with Puppet  Selenium functional tests  JMeter performance tests
  • 27. 27© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Security testing lagged  Excuses: – The “official” tool is expensive. – It would take a lot of time to acquire and then to configure it. – We don’t have time. – It isn’t our responsibility. – The security team wouldn’t accept our scans anyway.  Open-source tools  Focus on security, not compliance  Limited time
  • 28. 28© Copyright 2013 Coveros, Inc. All rights reserved. Personal Experience  Web application scans with w3af  Vulnerability assessments with OpenVAS  Security standards checks with Openscap  Initial implementation ~ a day each  No more freebies
  • 29. 29© Copyright 2013 Coveros, Inc. All rights reserved. Conclusion  Earlier security testing – Less likely to skip – More likely to remediate  Open-source tools  Other testing as foundation  Gradually add more security tests  Continuous Delivery and Cloud Computing give security testing opportunities
  • 30. 30© Copyright 2013 Coveros, Inc. All rights reserved. Questions? Gene Gotimer Email: gene.gotimer@coveros.com Twitter: @CoverosGene