SlideShare a Scribd company logo

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration

Download as PPTX, PDF
Rakuten Group, Inc., profile picture
Rakuten Group, Inc.

This document summarizes a presentation about integrating security checks into continuous integration workflows. It discusses recent security incidents like Heartbleed and Shellshock to demonstrate that regular security updates are needed. It promotes testing applications continuously using CI tools rather than just before release. Open-source security scanning tools like OWASP ZAP and Nmap are presented for checking web applications and infrastructure as part of CI pipelines. The document also introduces Walti.io as a service for easily running security scans from a dashboard at a low cost in a continuous manner.

Technology
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Security Checking, as a part of Continuous Integration Rakuten Technology Conference 2014 @ FUKUOKA
Who am I ? Masanori Fujisaki Twitter: @fujisaki_hb Facebook: fujisaki.masanori Founder & CEO HEARBTEATS Corp. ( since April, 2005) Walti, Inc. ( since July, 2014 ) Entrepreneur & Infrastructure Engineer I was born in Iiduka, Fukuoka, and grew up in Kitakyusyu, Fukuoka, and now live in Shibuya, Tokyo.
Who am I ? Masanori Fujisaki Twitter: @fujisaki_hb Facebook: fujisaki.masanori Founder & CEO HEARBTEATS Corp. ( since April, 2005) Walti, Inc. ( since July, 2014 ) Entrepreneur & Infrastructure Engineer I was born in Iiduka, Fukuoka, and grew up in Kitakyusyu, Fukuoka, and now live in Shibuya, Tokyo.
Today’s Topics 1. Recent Security Incidents. 2. Why you need to do security checking as a part of Continuous Integration. 3. Some Open Source Security Check Tools 4. Some Security Communities and Organizations 5. About Walti.io
Recent Security Incidents(1) Environmental Pattern..
Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/
Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/ ShellShock Bash http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/ ShellShock Bash http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 POODLE SSL3.0 protocol https://www.openssl.org/~bodo/ssl-poodle.pdf
Recent Security Incidents(2) DDoS Pattern..
Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/
Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/ DNS Amplification Attack DNS Open Resolver https://www.us-cert.gov/ncas/alerts/TA13-088A
Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/ DNS Amplification Attack DNS Open Resolver https://www.us-cert.gov/ncas/alerts/TA13-088A UPnP Device-Based Reflection Attack http://www.akamai.co.jp/enja/html/about/press/releases/2014/ press-101514-2.html
One of the Solutions Inbound Port 53 Blocking Inbound Port 123 Blocking http://www.kddi.com/important-news/20140825/
Recent Security Incidents(3) Frameworks Struts https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html Rails http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3514 One of the Solutions Request Pattern blocking by URL Filter or IDS/IDP
This means… Security Issues occur to each layer. We always need to do security updating. We have to develop secure applications. We have to manage infrastructure securely.
This means… Security Issues occur to each layer. We always need to do security updating. We have to develop secure applications. We have to manage infrastructure securely. You can not do those by yourself.
TEST
TEST Old Style TEST You test your application before release.
TEST Old Style TEST You test your application before release. Modern Style TEST You constantly test by CI Tools.
Security Check
Security Check Old Style Security Check You only check your application security before release.
Security Check Old Style Security Check You only check your application security before release. Modern Style Security Check You constantly check your app security by CI Tools.
Security Check, as a part of Continuous Integration.
Continuous Integration Security Checking develop deploy test
Continuous Integration Security Checking develop deploy test develop Test deploy to staging deploy to production Security check
Security Checking by OSS, as a part of Continuous Integration
for Web Application
for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper
for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper Skipfish https://code.google.com/p/skipfish/ shell http://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper Skipfish https://code.google.com/p/skipfish/ shell http://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf Wapiti http://wapiti.sourceforge.net/
for Infrastructure
for Infrastructure nmap http://nmap.org/ for Firewall / netfilter
for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server
for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server sslyze https://github.com/nabla-c0d3/sslyze for HTTPS setting
for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server sslyze https://github.com/nabla-c0d3/sslyze for HTTPS setting Metasploit http://www.metasploit.com/ All in one
CI Tools
CI Tools Jenkins An extendable open source Continuous Integration server http://jenkins-ci.org/
CI Tools Jenkins An extendable open source Continuous Integration server http://jenkins-ci.org/ Mozilla Minion An open source Security Automation platform. https://wiki.mozilla.org/Security/Projects/Minion http://heartbeats.jp/hbblog/2013/08/minion.html
Security Communities & Organizations
OWASP The Open Web Application Security Project (OWASP) https://www.owasp.org/ the free and open software security community Japan Chapter https://www.owasp.org/index.php/Japan OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
MITRE MITRE a not-for-profit organization that operates multiple federally funded research and development centers http://www.mitre.org/ CWE Common Weakness Enumeration http://cwe.mitre.org/ used by NIST, OWASP Top 10 project, etc…
CSIRT CSIRT Computer Security Incident Response Team CERT/CC JPCERT/CC NIRT(National Incident Response Team) Nippon CSIRT Association http://www.nca.gr.jp/
Japan MSP Association Japan MSP Association ( To be Founded on November 1, 2014 )
How can you do Security Checking Easily by OSS, as a part of Continuous Integration?
I have one proposal.
Walti.io
Walti.io is… https://walti.io/ Continuous Server-side Security Scanner Run Scans Easily from Dashboard Team-based Web Safety Protection Continuous Security Management API Support Impressive Low Cost
Scanners in Walti.io Portscan ¥10/scan Nikto ¥10/scan Sslyze ¥5/scan Skipfish ¥100/scan develop Test deploy to staging deploy to production Security check
Demo https://beta.walti.io/
Today’s Summary 1. Recent Security Incidences 2. Why you need to do security checking as a part of Continuous Integration. 3. Some Open Source Security Check Tools 4. Some Security Communities and Organizations 5. About Walti.io
Q & A
Thank you.

More Related Content

PDF
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
PDF
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
PDF
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
PDF
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
PDF
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
PDF
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
PDF
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Manuel Pais
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Manuel Pais
 

What's hot (20)

PDF
2014 09-04-pj
Sébastien GIORIA
 
PDF
5 Tips for Agile Mobile App Security Testing
NowSecure
 
PDF
AppSec is Eating Security
Alex Stamos
 
PDF
Guy Podjarmy - Secure Node Code
DevSecCon
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
PDF
Addressing the Challenges of Mobile Test Automation
TechWell
 
PDF
Secure Coding For Java - Une introduction
Sebastien Gioria
 
PDF
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
PDF
Building a low cost hack lab
Joe McCray
 
PDF
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
Secview
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
PPTX
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
PPTX
Getting ready for a Capture The Flag Hacking Competition
Joe McCray
 
PPTX
Defining DevSecOps
Uchit Vyas ☁
 
PDF
OWASP, PHP, life and universe
Sebastien Gioria
 
PPTX
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
PPTX
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
PDF
Owasp API Security top 10 - The need of enterprise solutions for managing API...
Tharindu Edirisinghe
 
ODP
Broadcast presentation
Panoptic Development, Inc.
 
2014 09-04-pj
Sébastien GIORIA
 
5 Tips for Agile Mobile App Security Testing
NowSecure
 
AppSec is Eating Security
Alex Stamos
 
Guy Podjarmy - Secure Node Code
DevSecCon
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
Addressing the Challenges of Mobile Test Automation
TechWell
 
Secure Coding For Java - Une introduction
Sebastien Gioria
 
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Building a low cost hack lab
Joe McCray
 
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
Secview
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
Getting ready for a Capture The Flag Hacking Competition
Joe McCray
 
Defining DevSecOps
Uchit Vyas ☁
 
OWASP, PHP, life and universe
Sebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
Owasp API Security top 10 - The need of enterprise solutions for managing API...
Tharindu Edirisinghe
 
Broadcast presentation
Panoptic Development, Inc.
 
Ad

Similar to [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration (20)

PPTX
Cloud Application Security: Lessons Learned
Jason Chan
 
PDF
Continuous Security Testing
Ray Lai
 
PDF
Including security in devops
Jérémy Matos
 
PPTX
Cloud Application Security: Lessons Learned
Jason Chan
 
PPTX
Security as Code
Ed Bellis
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
PDF
Web Security... Level Up
Izzet Mustafaiev
 
PPTX
Securing the continuous integration
Irene Michlin
 
PPTX
Top10 Characteristics of Awesome Apps
Casey Lee
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
PPTX
Altitude SF 2017: Security at the edge
Fastly
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
PDF
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PPTX
Wo defensive trickery_13mar2017
Dan Kaminsky
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PPTX
Security on AWS
CloudHesive
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
Cloud Application Security: Lessons Learned
Jason Chan
 
Continuous Security Testing
Ray Lai
 
Including security in devops
Jérémy Matos
 
Cloud Application Security: Lessons Learned
Jason Chan
 
Security as Code
Ed Bellis
 
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Web Security... Level Up
Izzet Mustafaiev
 
Securing the continuous integration
Irene Michlin
 
Top10 Characteristics of Awesome Apps
Casey Lee
 
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Altitude SF 2017: Security at the edge
Fastly
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
 
How To Start Your InfoSec Career
Andrew McNicol
 
Wo defensive trickery_13mar2017
Dan Kaminsky
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Security on AWS
CloudHesive
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Ad

More from Rakuten Group, Inc. (20)

PDF
EPSS (Exploit Prediction Scoring System)モニタリングツールの開発
Rakuten Group, Inc.
 
PPTX
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
Rakuten Group, Inc.
 
PDF
楽天における安全な秘匿情報管理への道のり
Rakuten Group, Inc.
 
PDF
What Makes Software Green?
Rakuten Group, Inc.
 
PDF
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Rakuten Group, Inc.
 
PDF
DataSkillCultureを浸透させる楽天の取り組み
Rakuten Group, Inc.
 
PDF
大規模なリアルタイム監視の導入と展開
Rakuten Group, Inc.
 
PDF
楽天における大規模データベースの運用
Rakuten Group, Inc.
 
PDF
楽天サービスを支えるネットワークインフラストラクチャー
Rakuten Group, Inc.
 
PDF
楽天の規模とクラウドプラットフォーム統括部の役割
Rakuten Group, Inc.
 
PDF
Rakuten Services and Infrastructure Team.pdf
Rakuten Group, Inc.
 
PDF
The Data Platform Administration Handling the 100 PB.pdf
Rakuten Group, Inc.
 
PDF
Supporting Internal Customers as Technical Account Managers.pdf
Rakuten Group, Inc.
 
PDF
Making Cloud Native CI_CD Services.pdf
Rakuten Group, Inc.
 
PDF
How We Defined Our Own Cloud.pdf
Rakuten Group, Inc.
 
PDF
Travel & Leisure Platform Department's tech info
Rakuten Group, Inc.
 
PDF
Travel & Leisure Platform Department's tech info
Rakuten Group, Inc.
 
PDF
OWASPTop10_Introduction
Rakuten Group, Inc.
 
PDF
Introduction of GORA API Group technology
Rakuten Group, Inc.
 
PDF
100PBを越えるデータプラットフォームの実情
Rakuten Group, Inc.
 
EPSS (Exploit Prediction Scoring System)モニタリングツールの開発
Rakuten Group, Inc.
 
コードレビュー改善のためにJenkinsとIntelliJ IDEAのプラグインを自作してみた話
Rakuten Group, Inc.
 
楽天における安全な秘匿情報管理への道のり
Rakuten Group, Inc.
 
What Makes Software Green?
Rakuten Group, Inc.
 
Simple and Effective Knowledge-Driven Query Expansion for QA-Based Product At...
Rakuten Group, Inc.
 
DataSkillCultureを浸透させる楽天の取り組み
Rakuten Group, Inc.
 
大規模なリアルタイム監視の導入と展開
Rakuten Group, Inc.
 
楽天における大規模データベースの運用
Rakuten Group, Inc.
 
楽天サービスを支えるネットワークインフラストラクチャー
Rakuten Group, Inc.
 
楽天の規模とクラウドプラットフォーム統括部の役割
Rakuten Group, Inc.
 
Rakuten Services and Infrastructure Team.pdf
Rakuten Group, Inc.
 
The Data Platform Administration Handling the 100 PB.pdf
Rakuten Group, Inc.
 
Supporting Internal Customers as Technical Account Managers.pdf
Rakuten Group, Inc.
 
Making Cloud Native CI_CD Services.pdf
Rakuten Group, Inc.
 
How We Defined Our Own Cloud.pdf
Rakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Rakuten Group, Inc.
 
Travel & Leisure Platform Department's tech info
Rakuten Group, Inc.
 
OWASPTop10_Introduction
Rakuten Group, Inc.
 
Introduction of GORA API Group technology
Rakuten Group, Inc.
 
100PBを越えるデータプラットフォームの実情
Rakuten Group, Inc.
 

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Cloud computing and distributed systems.
kkkkkhan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration

  • 1. Security Checking, as a part of Continuous Integration Rakuten Technology Conference 2014 @ FUKUOKA
  • 2. Who am I ? Masanori Fujisaki Twitter: @fujisaki_hb Facebook: fujisaki.masanori Founder & CEO HEARBTEATS Corp. ( since April, 2005) Walti, Inc. ( since July, 2014 ) Entrepreneur & Infrastructure Engineer I was born in Iiduka, Fukuoka, and grew up in Kitakyusyu, Fukuoka, and now live in Shibuya, Tokyo.
  • 3. Who am I ? Masanori Fujisaki Twitter: @fujisaki_hb Facebook: fujisaki.masanori Founder & CEO HEARBTEATS Corp. ( since April, 2005) Walti, Inc. ( since July, 2014 ) Entrepreneur & Infrastructure Engineer I was born in Iiduka, Fukuoka, and grew up in Kitakyusyu, Fukuoka, and now live in Shibuya, Tokyo.
  • 4. Today’s Topics 1. Recent Security Incidents. 2. Why you need to do security checking as a part of Continuous Integration. 3. Some Open Source Security Check Tools 4. Some Security Communities and Organizations 5. About Walti.io
  • 5. Recent Security Incidents(1) Environmental Pattern..
  • 6. Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/
  • 7. Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/ ShellShock Bash http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
  • 8. Recent Security Incidents(1) Environmental Pattern.. Heartbleed OpenSSL http://heartbleed.com/ ShellShock Bash http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 POODLE SSL3.0 protocol https://www.openssl.org/~bodo/ssl-poodle.pdf
  • 10. Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/
  • 11. Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/ DNS Amplification Attack DNS Open Resolver https://www.us-cert.gov/ncas/alerts/TA13-088A
  • 12. Recent Security Incidents(2) DDoS Pattern.. NTP Amplification Attack CloudFlare 400Gbps http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack/ DNS Amplification Attack DNS Open Resolver https://www.us-cert.gov/ncas/alerts/TA13-088A UPnP Device-Based Reflection Attack http://www.akamai.co.jp/enja/html/about/press/releases/2014/ press-101514-2.html
  • 13. One of the Solutions Inbound Port 53 Blocking Inbound Port 123 Blocking http://www.kddi.com/important-news/20140825/
  • 14. Recent Security Incidents(3) Frameworks Struts https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html Rails http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3514 One of the Solutions Request Pattern blocking by URL Filter or IDS/IDP
  • 15. This means… Security Issues occur to each layer. We always need to do security updating. We have to develop secure applications. We have to manage infrastructure securely.
  • 16. This means… Security Issues occur to each layer. We always need to do security updating. We have to develop secure applications. We have to manage infrastructure securely. You can not do those by yourself.
  • 17. TEST
  • 18. TEST Old Style TEST You test your application before release.
  • 19. TEST Old Style TEST You test your application before release. Modern Style TEST You constantly test by CI Tools.
  • 21. Security Check Old Style Security Check You only check your application security before release.
  • 22. Security Check Old Style Security Check You only check your application security before release. Modern Style Security Check You constantly check your app security by CI Tools.
  • 23. Security Check, as a part of Continuous Integration.
  • 24. Continuous Integration Security Checking develop deploy test
  • 25. Continuous Integration Security Checking develop deploy test develop Test deploy to staging deploy to production Security check
  • 26. Security Checking by OSS, as a part of Continuous Integration
  • 28. for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper
  • 29. for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper Skipfish https://code.google.com/p/skipfish/ shell http://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
  • 30. for Web Application OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project zapper https://github.com/adedayo/zapper Skipfish https://code.google.com/p/skipfish/ shell http://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf Wapiti http://wapiti.sourceforge.net/
  • 32. for Infrastructure nmap http://nmap.org/ for Firewall / netfilter
  • 33. for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server
  • 34. for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server sslyze https://github.com/nabla-c0d3/sslyze for HTTPS setting
  • 35. for Infrastructure nmap http://nmap.org/ for Firewall / netfilter nikto https://www.cirt.net/Nikto2 for Web Server sslyze https://github.com/nabla-c0d3/sslyze for HTTPS setting Metasploit http://www.metasploit.com/ All in one
  • 37. CI Tools Jenkins An extendable open source Continuous Integration server http://jenkins-ci.org/
  • 38. CI Tools Jenkins An extendable open source Continuous Integration server http://jenkins-ci.org/ Mozilla Minion An open source Security Automation platform. https://wiki.mozilla.org/Security/Projects/Minion http://heartbeats.jp/hbblog/2013/08/minion.html
  • 39. Security Communities & Organizations
  • 40. OWASP The Open Web Application Security Project (OWASP) https://www.owasp.org/ the free and open software security community Japan Chapter https://www.owasp.org/index.php/Japan OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 41. MITRE MITRE a not-for-profit organization that operates multiple federally funded research and development centers http://www.mitre.org/ CWE Common Weakness Enumeration http://cwe.mitre.org/ used by NIST, OWASP Top 10 project, etc…
  • 42. CSIRT CSIRT Computer Security Incident Response Team CERT/CC JPCERT/CC NIRT(National Incident Response Team) Nippon CSIRT Association http://www.nca.gr.jp/
  • 43. Japan MSP Association Japan MSP Association ( To be Founded on November 1, 2014 )
  • 44. How can you do Security Checking Easily by OSS, as a part of Continuous Integration?
  • 45. I have one proposal.
  • 47. Walti.io is… https://walti.io/ Continuous Server-side Security Scanner Run Scans Easily from Dashboard Team-based Web Safety Protection Continuous Security Management API Support Impressive Low Cost
  • 48. Scanners in Walti.io Portscan ¥10/scan Nikto ¥10/scan Sslyze ¥5/scan Skipfish ¥100/scan develop Test deploy to staging deploy to production Security check
  • 50. Today’s Summary 1. Recent Security Incidences 2. Why you need to do security checking as a part of Continuous Integration. 3. Some Open Source Security Check Tools 4. Some Security Communities and Organizations 5. About Walti.io
  • 51. Q & A

Editor's Notes