DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps
1 like620 views
The document discusses building an application vulnerability toolchain for SecDevOps. It advocates leveraging existing security tools like SAST and DAST scanners through automation to reuse human effort. The author describes their process of identifying how to test applications based on factors like the stack and platform. They also discuss instrumenting and testing REST APIs, building custom automation, correlating data from multiple scans and tools in a NoSQL database, and using tools like Docker, Selenium and OWASP ZAP through their APIs.
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability Toolchain for SecDevOps
- 1. Join the conversation #devseccon Building an Application Vulnerability Toolchain for SecDevOps By Abhay Bhargav, CTO - we45
- 2. Quick Intro • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide • Passionate about Automation in Security • Avid Pythonista • Trainer and Workshop Lead for Security Training Workshops
- 3. The reason I got into this….
- 4. This is where we operate… End-to-end IT Development and Operations value Plan Code Build Test Release Deploy Operate DevOps Continuous Delivery Continuous Integration Agile development
- 5. Our Learnings - 1 • Leverage Automation for anti-fragile apps • Automation is a ‘misused‘ word. • Does NOT mean replace all human effort • It means, LEVERAGE human effort where it really adds value • REUSE human effort to generate actions
- 6. Our Learnings Identify how to test Leverage the best Build the rest And correlate!
- 7. Identify How to Test with SecDevOps Strategies • Objective: Identify implementation that makes sense • Stack • Platform • How Agile are you? • Existing DevOps Practices
- 8. Leverage the Best • Great SAST, DAST, etc out there, but…. • Different Tools to different things better • Why not leverage the best? • Spidering?? Really?? - Scripted Walkthroughs (Instrumented) is the way to go • What about Exploits? • Dockerize FTW!
- 9. Instrumenting and Testing REST API • Spidering Web Services/RESTful API is not feasible • Existing Test tools IMHO, are really not meant for Security Testing • We built a tool: • Chain API Requests + Variables • Data passed to Requestor from a YAML spec (easy to generate) • Built-in Fuzzer that works with JSON - Mapping JSON for Variables, etc • When passed with BurpSuite/ZAP/etc - Results are powerful
- 10. Target App w3af OWASP ZAP BURPSuite Professional Custom Automation/SAST
- 12. Build the Rest • Exploits • Orchestration Framework • Granular Control over the Testing Process • Correlation
- 13. Correlate • Correlate Data from across • Generic DAST Scans • Custom Automation • SAST • NoSQL DBs are suited for it • Attack Surface Mapping - is a Great idea!
- 14. Tools of our Trade - Where you start…. • Docker • Selenium, Python-Requests, YAML, XVFB • SAST Tools - Commercial and Open Source • Platform AST Impl • OWASP ZAP + python API • W3af + Python API • BurpSuite Pro + Jython API • ElasticSearch
- 15. Join the conversation #devseccon Thank you! Twitter: @abhaybhargav Linkedin: linkedin.com/in/abhaybhargav Blog: we45.com/blog