Post on 25-Jun-2020
transcript
8-12May,2017
CreatinganAppsec PipelinewithContainersinaweek
HowweFailedandSucceededJeroenWillemsen
About me
Jeroen Willemsen@commjoeniejwillemsen@xebia.com
``Securityarchitect’’``Full-stackdeveloper’’``Mobilesecurity’’
Agenda
• Thechallenge• Thesolution• Bumps onthe road• Recap
8-12May,2017
TheChallengeWhatcouldpossiblygowrong?
TheChallenge
TheChallenge:Thelandscape
TheChallenge:Existing workflow
ReadyforValidation
E2ETest
DeploytoDev
UnitTest
StoreArtifact
BuildPull&Merge
TheChallenge:Newentries
• OWASPDependency-Check• Licensecheckers•
•• Etc…
&
& SAST
8-12May,2017
TheSolutionWegottherekindoff…
TheSolution:Extend build step
Add dependency &license checkersontopofquality tooling.
GetfeedbackFAST!
E2ETestwithproxy
TheSolution:Feeding ZAP&BURP
Scheduledlongscans
DeploytoDev
UnitTest
StoreArtifact
BuildPull&Merge
Quickscan
TheSolution:DAST&reporting
TheSolution:Clair
• RunClaironthecreatedcontainers.
• Todo:runClairregularlyontheregistry,addwhitelists&integratewithThreadfix.
Thesolution:Containerize!
• Our toolsembedded incontainers:+ Less additional platformcomplexities+ Can runanywhere (locally /deployed)+ Easyto scale- Still need to managethe data!- Moreassetsthat might contain vulnerabilities• Not perfect:Still haveto hardenour assets.
Thesolution:astarting point./clair-scannerapp/threadfix example-whitelist.yaml http://10.200.98.63:606010.200.98.63
2017-05-1210:50:19.712897I|Analyzing014fdc7e45e4e7c5967856fc65d7bb5ff0b324fe4ef1ac8ce448843ab310416aAnd9 otherlayers…
Giving:2017-05-1210:50:19.854789I|Imagecontainsunapprovedvulnerabilities:[CVE-2017-6508]
- A vulnerability in wget…- Used when creating the container- Not used during runtime
TheSolution:Did it work?
YES!Notallcomponentsarein,butfeedbackis
alreadyofgreatvalue
8-12May,2017
ThebumpsontheroadAnd their countermeasures
Bump1:Falsepositives
Bump1:Falsepositives
• Use settings/plugins inappà noscaling.
• Use aDBwith aframework:
• Use appslike&
XBump2:LegacyAPIs
Bump2:LegacyAPIs
TestlegacyAPIsseparatelyL
Bump3:Notfrustratedevelopers
• Give feedbackfast!• Automate all the things!• Bepartofthe team• Filter&suppress false positives ASAP• Use known tooling
Bump4:IntegratingBurpproxy
• IntegrationwithBurpisnotcompleted– Custombuildsforcontainers– Attimeoftesting:AdditionalextensionsnecessarytohaveaproperRESTAPI
Bump5:Falsenegatives….
Securityautomationdoesnotmean:nomanualpentesting.
Evenwhenyouaddmoretools(whichwehaveto…).
Bump6:Platformteamavailability
8-12May,2017
Recap
Recap
• Automateallthethings:getfeedbackFAST.• Containerize• Filterfalsepositives• StublegacyAPIs• HELPdevelopers,DONOTfrustrate!• Stillaneedformanualpentesting &reviewing.• Getplatform-teamsupport!• Everypartofthepipelineisablessing!
8-12May,2017
QUESTIONS?
8-12May,2017
Thankyou!
8-12May,2017
Appendices
App.1:hot-swappableplatform
Infrastructure as Code Static Host OS
High Availability By Default
Use Autoscaling
Externalize Data
Automated Repeatable Bootstrapping
App.2:Actualdeployment
RenderFleetUnit
File
SubmitFleetUnit
StartContainers
RegisterService
Configureproxy