JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs before breakfast
- 1. Baking security into DevOps a tale of hunting down bugs before breakfast JSCONF.BE 2018
- 2. 2 Wouter Bloeyaert Security Consultant @NVISO Penetration Testing, Software Security, NVISO labs @someniak
- 3. 3 Todayโs topic Goal of todayโs presentation SEC
- 4. The struggle of integrating security into DevOps SecDevOps cycles Security Requirements Design Development Testing Deployment 4
- 5. 5 Why security matters? Some horror stories of what can happen.
- 6. Why security matters? Some horror stories of what can happen. 6
- 7. Investigate the incident Wake up your developers Information disclosure (GDPR) Financial loss & Data loss & Reputational Damage 7 Why security matters? Some horror stories of what can happen.
- 8. 8 Why security matters? How could it have been prevented? Using a secure development framework Penetration test report Writing secure Code Detecting vulnerabilities using automated testing Creating security requirements Security Requirements Design Development Testing Deployment
- 9. What do we want Searching for quick wins ๏ Highly automatable Easily implemented Decent Output 9
- 10. Integrating security into DevOps Vulnerabilities fixable using tools OWASP TOP 10 2017 A01 โ Injection A02 โ Broken Authentication A03 โ Sensitive Data Exposure A04 โ XML External Entities (XXE) A05 โ Broken Access Control A06 โ Security Misconfiguration A07 โ Cross-Site Scripting (XSS) A08 โ Insecure Deserialization A09 โ Using Components with Known Vulnerabilities A10 โ Insufficient Logging & Monitoring 10
- 11. Integrating security into DevOps Quick Wins โ Search for vulnerable code Code analysis using NodeJsScan 11
- 12. Integrating security into DevOps Demo 12
- 13. Integrating security into DevOps Quick Wins โ Keep your packages up to date Dependency analysis using NPM audit 13
- 14. Integrating security into DevOps Demo 14
- 15. Integrating security into DevOps Quick Wins โ Keep your packages up to date Dependency analysis using GitHub 15
- 16. Integrating security into DevOps Demo 16
- 17. Integrating security into DevOps Quick Wins โ Search for smelly code Detect smelly code using JSLint 17
- 18. Integrating security into DevOps Quick Wins โ Search for vulnerabilities in containers Use Dagda to find vulnerabilities in containers Application Content Application Code Application Server Bins & Libs Base Image Docker Engine Host OS Dagda scans your base image and installed libraries and base images. 18
- 19. Integrating security into DevOps Quick wins, but 1 issue 19
- 20. NVISOโs Use Case Our technology stack Code is developed On push Private Docker Registry Test/Production 20
- 21. NVISOโs Use Case Our technology stack (SoftSnitch) Webhook Pull source code Initiate scan Scan source code / application Log to GitHub issues/comments Push, Pull Request 21
- 23. NVISOโs Use Case What did we find? 23
- 24. Conclusions 24 โSecurity isnโt always that difficultโ
- 25. Conclusions 25 โHelp developers fix bugs, not frustrate themโ
- 27. 27 Wouter Bloeyaert Security Consultant @NVISO Penetration Testing, Software Security, NVISO labs @someniak