Presentation security automation (Selenium Camp)

•

1 like•165 views

Artyom Rozumenko

Presentation about my experience of enabling security automation for a big enterprise

Engineering

Artem Rozumenko
S o l u t i o n A r c h i t e c t
10+ years in Software testing
7+ years in non-functional testing
5+ years in Solution Architecture
Preferable CI: Jenkins
Preferable language: Python
Preferable load tool: Gatling

5
Billions US
Dollars
MARKET
2x
Security Breaches
in 2018 vs 2017
>2BPersonal records
LEAKED
WHAT ABOUT SECURITY ?
4
Billions US
Dollars
FINES
CARRIER | Continuous Test Execution Platform

Continuous Security Test
Execution
Integrate security tests/scans
as a quality gate of CI/CD
process
Security Testing Service
Perform manual security tests of
application
Application Security Program
Enable S-SDLC for the whole
company
SCOPE OF SECURITY TESTING
CARRIER | Continuous Test Execution Platform

Run security scanners in
your CI, what a big deal ?
CARRIER | Continuous Test Execution Platform

RUN
STATIC
SCANS
RUN
DYNAMIC
SCANS
VALIDATE
SCAN
RESULTS
VALIDATE
FIXES
25%68%6%1%
85% of findings are false-positives
CARRIER | Continuous Test Execution Platform
LET’S SEE WHERE THE TIMEOF AN ENGINEER IS

CARRIER | Continuous Test Execution Platform
LET’S SEE WHERE THE TIMEOF AN ENGINEER IS

CARRIER | Continuous Test Execution Platform
WHAT WE HAVE NOW
• Many products release with significant security
issues that cause data leaks or service failures
• Out of the box solutions mostly build for security
engineers and barely suitable for CI
• Scanners generate enormous amount of noise that
results in complete ignorance from development

CARRIER | Continuous Test Execution Platform
SOUNDS LIKE WE GOT A TARGET
• Run Static Scan in CI as a quality gate
• Make it run for less then 10 minutes
• Create results that won’t be ignored by developers
• Make Dynamic scans useful

EXPERIMENT
CARRIER | Continuous Test Execution Platform
• Take a public repo
• Run Standard approach
• Run Carrier approach
• Compare results

CARRIER | Continuous Test Execution Platform
SONAR + SpotBugs
19minutes
24Kfindings

CARRIER | Continuous Test Execution Platform
CARRIER + SpotBugs
4.5minutes
4.5Kfindings

How to make results actionable with less efforts?
CARRIER | Continuous Test Execution Platform

CARRIER | Continuous Test Execution Platform
RE-PROCESSING OUTCOME
• Group same type of vulnerabilities in same file
• Translate findings to actions
• Automatically filter false-positives
• Do not convert all the valid findings into issues
https://github.com/carrier-io/sast

This is how it works in production
CARRIER | Continuous Test Execution Platform

CARRIER | Continuous Test Execution Platform
CANONICAL DATA MODEL

CARRIER | Continuous Test Execution Platform
DEDUPLICATION ON THE GO
DEDUPLICATION
GROUPING

CARRIER | Continuous Test Execution Platform
FILTERING FALSE-POSITIVES
https://github.com/reportportal/service-analyzer-equals

WHAT ABOUT DYNAMIC SCANS
CARRIER | Continuous Test Execution Platform

CARRIER | Continuous Test Execution Platform
THERE ARE DIFFERENT SCANS
External Intruder Internal Intruder

EXPERIMENT
CARRIER | Continuous Test Execution Platform
• Take some well known site
• Take single well known tool
• Limit scope of vulnerabilities
• Perform authenticated scan
• Performance unauthenticated scan
• Compare results

CARRIER | Continuous Test Execution Platform
RESULTS
External Intruder Internal Intruder
13M req
2h scan
17 findings
100% FPs
4M req
20h scan
200 findings
99% FPs

CARRIER | Continuous Test Execution Platform
WE HAVE ANOTHER ONE
Automated Tests ran
through Security Tool

CARRIER | Continuous Test Execution Platform
RESULTS
Internal Intruder
True Automated
Intruder
200K req
25m scan
350 findings
95% FPs
4M req
20h scan
200 findings
99% FPs
https://hub.docker.com/r/getcarrier/dast

CARRIER | Continuous Test Execution Platform

CARRIER | Continuous Test Execution Platform
AS A SUMMARY
• You should test security as a part of your delivery
pipeline
• Post-processing of results helps to save time on analysis
• Automated tests helps to find great vulnerabilities
• Complex vulnerabilities should be added to functional
testing framework

CARRIER | Continuous Test Execution Platform
THANKS
https://github.com/carrier-io/sast
https://github.com/carrier-io/dast
https://hub.docker.com/r/getcarrier/sast
https://hub.docker.com/r/getcarrier/dast

What's hot

Multiple django applications on a single server with nginx

roskakori

{{more}} Kibana4

琛琳饶

Learn from Fastly veteran Cassandra Dixon on some of the most common customer issues we see — such as why things aren’t caching, misconfigured origins, issues with intermediary proxies, and VCL snafus — and the best ways to resolve them. We’ll also discuss our unique approach to debugging — using seemingly mundane tools to diagnose issues in creative ways — and how you can apply these methods to your own organization to get the most out of Fastly’s offerings.

Altitude SF 2017: Debugging Fastly VCL 101

Fastly

Tempest scenariotests 20140512

Masayuki Igawa

OpenStack API's and WSGI

Mike Pittaro

Import golang; struct microservice

Giulio De Donato

DevOpsDays Taipei 2017 - Terraform: Everything Is Code

smalltown

Using Document Databases with TYPO3 Flow

Karsten Dambekalns

Open stack qa and tempest

Kamesh Pemmaraju

Running a Spring Boot application but still want to benefit from Quarkus and its supersonic, subatomic Java capabilities? Me too! With a “hello world” everything looks simple, but what about a real app? Will it be easy? Or fun? In this session we’ll show our experience migrating a Spring Boot app to Quarkus. Technologies involved in the app include Hibernate, Prometheus, REST endpoints, and more. Be prepared to listen to a journey of reality, failure, and wins in the Quarkus universe.

Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk

Red Hat Developers

Through our support for running your own code on our edge servers, Fastly's network offers you a platform of unparalleled speed, reliability and efficiency to which you can delegate a surprising amount of logic that has traditionally been in the application layer. In this workshop, you'll implement a series of advanced edge solutions, and learn how to apply these patterns to your own applications to reduce your origin load, dramatically improve performance, and make your applications more secure.

Altitude NY 2018: Programming the edge workshop

Fastly

Dropwizard is a Java framework for developing ops-friendly, high-performance, painless RESTful web services. I've presented this simple & light-weight framework (with an example project) on 10th of June. Agenda: Presentation (20 minutes): - Definition & History (What is Dropwizard, versions, first commit etc.) - Libraries (Built-in libraries, what we use these for etc.) - User Manual (Project configuration, documentation, getting started etc.) - Performance (Comparison with other frameworks) - Versus (Dropwizard vs Springboot on technical terms) I've prepared a sample Brown Bag Seminars (BBS) application to demonstrate features of Dropwizard (with MongoDB integration). Sample Project & Code Review (40 minutes): - Project configuration - Resource - Representations - Views - Health checks - Metrics - Tests

Dropwizard

Abdulhadi ÇELENLİOĞLU

Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/ The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode. This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.

Automating OWASP ZAP - DevCSecCon talk

Simon Bennetts

Deploying Plack Web Applications: OSCON 2011

Tatsuhiko Miyagawa

If knowing is half the battle, having the most information available is the best way to win. Using real-time log streaming and a knowledge of the data passing through the system, metrics can provide more depth and breadth in to the goings on requests as they pass through various parts of the stack. This session will cover the difference between logging and metrics, writing JSON and Influx Line Protocol in VCL, and building out dashboards to give deeper insights (and more importantly, alerting) on requests and responses at the edge.

Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever

Fastly

Logstash

琛琳饶

Java Microservices with Netflix OSS & Spring

Conor Svensson

Solving anything in VCL

Fastly

Planet9energy.com is a new electricity company building a sophisticated analytics and energy trading platform for the UK market. Since the earliest draft of the platform, we took the unconventional decision to go serverless and build the product on top of AWS Lambda and the Serverless framework using Node.js. In this talk, I want to discuss why we took this radical decision, what are the pros and cons of this approach and what are the main issues we faced as a tech team in our design and development experience. We will discuss how normal things like testing and deployment need to be re-thought to work on a serverless fashion but also the benefits of (almost) infinite self-scalability and the peace of mind of not having to manage hundreds of servers. Finally, we will underline how Node.js seems to fit naturally in this scenario and how it makes developing serverless applications extremely convenient. Technologies: Backend Frontend Application architecture Javascript cloud computing

Building a serverless company on AWS lambda and Serverless framework

Luciano Mammino

DevOps tools for everyone - Vagrant, Puppet and Webmin

postrational

What's hot (20)

Multiple django applications on a single server with nginx

{{more}} Kibana4

Altitude SF 2017: Debugging Fastly VCL 101

Tempest scenariotests 20140512

OpenStack API's and WSGI

Import golang; struct microservice

DevOpsDays Taipei 2017 - Terraform: Everything Is Code

Using Document Databases with TYPO3 Flow

Open stack qa and tempest

Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk

Altitude NY 2018: Programming the edge workshop

Dropwizard

Automating OWASP ZAP - DevCSecCon talk

Deploying Plack Web Applications: OSCON 2011

Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever

Logstash

Java Microservices with Netflix OSS & Spring

Solving anything in VCL

Building a serverless company on AWS lambda and Serverless framework

DevOps tools for everyone - Vagrant, Puppet and Webmin

Similar to Presentation security automation (Selenium Camp)

Embedding Quality Engineering in DevOps pipeline

Aspire Systems

The DevOps Dance - Shift Left, Shift Right - Get It Right

Inflectra

Success in cross-browser test automation relies on many variables. Today’s reality forces practitioners within DevOps/Agile teams to join effort in assuring quality, removing risks, and releasing fast. To meet these goals, business testers, developers, and test automation engineers need to work together with the proper technology stack that matches their skillset. Join Perfecto’s Chief Evangelist and author, Eran Kinsbruner, in this session as he provides recommendations for high coverage, high reliability, and maintainability of cross-browser test automation. In this session, Eran will walk through the following topics: - Trends in cross-browser test automation. - Introduction to test automation using codeless and BDD Selenium tools. - The material differences between the three approaches: code-based Selenium, BDD, and codeless. Including a live demo of the various approaches.

Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...

Perfecto by Perforce

As release velocity increases, teams are finding innovative ways to detect and resolve performance issues earlier in the development cycle. This session will explore how to integrate performance testing into a development lifecycle and why the practice is gaining popularity. Learn how to create a balanced test strategy that matches test type, coverage, environment, and defect target. Scale to deliver high-performing applications. Through continuous integration platforms, performance testing tools, and AppDynamics, see how automated performance testing can reduce time-to-market while increasing overall quality. Key takeaways: o How to get started with performance test automation o How to detect and resolve performance issues earlier in the development lifecycle with AppDynamics o How to maximize the quality and value of your performance test strategy Brad Stoner Senior Sales Engineer, AppDynamics Resources: KonaKart - http://www.konakart.com/ Adminer - https://www.adminer.org/ Jenkins - https://jenkins.io/ NeoLoad - http://www.neotys.com/neoload/overview AppDynamics - https://www.appdynamics.com/free-trial/ GitHub - https://github.com/ Docker Hub - https://hub.docker.com/

AppSphere 2016 - Automate performance testing with AppDynamics using continuo...

Brad Stoner

Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...

VMware Tanzu

Ramesh Krishnamurthy, CTO at World DevOps Summit 2016

Indium Software

Applications are moving to cloud and containers to boost reliability and speed delivery to production. However, if we use the same old approaches to testing, we'll fail to achieve the benefits of cloud. But what do we really need to change? We know we need to automate tests, but how do we keep our automation assets from becoming obsolete? Automatically provisioning test environments seems close, but some parts of our applications are hard to move to cloud.

Modernizing Testing as Apps Re-Architect

DevOps.com

Cross-browser test automation continues to be a huge challenge. Test flakiness and code maintenance — together with the complexity of automating advanced scenarios in shrunken timelines — has created a need for next-gen test automation. And that’s where codeless testing can help. Powered by machine-learning and AI, codeless testing is best positioned to support test automation challenges and compliment code-based test scripts. Join Eran Kinsbruner, Chief Evangelist and author at Perfecto, along with Tzvika Shahaf, AVP Sales Engineering, as they take codeless test automation to the next level. In this webinar, you will learn how to create a robust codeless Selenium test script that can run in parallel against multiple browser permutations from within continuous integration (Jenkins, TeamCity, e.g.) environments. In this live webinar, Eran and Tzvika will cover the following: • The key benefits of codeless test automation and the challenges it solves. • How to configure codeless testing to run from within a scheduler or leading CI servers. • How to visualize parallel codeless testing via a CI dashboard. • How to get a single view of code-based and codeless in a single report.

Advanced Codeless Testing for Web Apps

Perfecto by Perforce

Making the leap to continuous delivery is precarious for any organization, but the concerns are greatly exacerbated when your organization services approximately 45 million bank accounts. Committed to maintaining flawless user experiences while accelerating release cadence, Capital One faced a daunting challenge as it transformed culture, processes, and technical infrastructure in its evolution to continuous delivery. Join this session with Capital One's Michael Bonamassa and Parasoft's Wayne Airole and learn from their insights on what DevTest changes are critical for responding to extreme digital disruption. Key takeaways: o The changing responsibilities of DevTest in a "continuous everything" world o What skill sets software testers need to ride the wave of digital transformation o How service virtualization and continuous testing measure the risk of a release candidate o How to evolve the culture and process to support continuous delivery o What technical infrastructure is required for real-time test automation and continuous delivery maturation For more information, go to: www.appdynamics.com

How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16

AppDynamics

4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM

IBM Rational

The PAC aims to promote engagement between various experts from around the world, to create relevant, value-added content sharing between members. For Neotys, to strengthen our position as a thought leader in load & performance testing. Since its beginning, the PAC is designed to connect performance experts during a single event. In June, during 24 hours, 20 participants convened exploring several topics on the minds of today’s performance tester such as DevOps, Shift Left/Right, Test Automation, Blockchain and Artificial Intelligence.

Neotys PAC 2018 - Ramya Ramalinga Moorthy

Neotys_Partner

Many organizations today are adopting DevOps to accelerate software delivery. However, once they have invested significant time and money optimizing most parts of the software delivery process, testing often holds them back from achieving the desired results. Why? Because software testing is still dominated by yesterday’s tools and processes—which don’t meet the needs of today’s accelerated development processes. How can you ensure that you and your team help the organization achieve its objectives? Wayne Ariola says that the key is continuous testing—and Wayne doesn’t just mean test automation. He means the process of executing automated tests as part of the software delivery pipeline in order to obtain feedback as rapidly as possible on the business risks associated with a software release candidate. Join Wayne to learn what continuous testing requires from the tester and discover the steps you must take to ensure that you’re prepared for this transformation. Explore how the role of testing can and should shift from the reactive role of validating requirements to a more proactive “quality engineering” role that involves protecting and optimizing the business.

Traditional Testing: The Silent Killer of DevOps

TechWell

Todays' IT industry has vastly grown in multiple segments serving many time critical offerings. Need of the hour is continuous nature of requirements with the expectation of continuous delivery. Challenge in Agile methodology is managing 3 stages viz. requirements gathering, development & testing simultaneously. This nature of process has changed the traditional model of Waterfall process where each segment was controlled independently and process called Continuous Integration or Automated Integration is evolving. In this program, we will discuss about one virtual project having continuous mode of changing requirements and define Test Driven Development model using Open Source Tools combination.

Manoj kolhe - Continuous Integration Testing

Manoj Kolhe

DevOps and Splunk

Splunk

Getting value from your test automation is fundamental for fast feedback, risk reduction, and return on investment from your testing activities. Once developing the test scenarios, teams cannot stop monitoring and ensuring that their tests continuously bring value, are not flaky, and can support the latest functionalities in your web and mobile apps. Teams often “forget” about their tests once they have been developed and integrated into the CI pipeline — regardless of the value they bring. In this session, learn how to optimize your Appium and Selenium test suites so you can get more value from them.

How to Guarantee Continuous Value from your Test Automation

Perfecto by Perforce

0/5 You’ve built a new feature in your app that is ready ship. Or is it? How can you be sure you’ve not introduced regressions in cases you forgot to test? What if your code crashes only on certain devices? Could the feature freeze up for a few users? Shipping frequently with little to no functional, UX or performance issues or regressions is not easy - but it’s also a problem that has been solved before. Where things get a lot more interesting is how to keep the same quality bar when you have hundreds of pull requests going in every day, with tens or hundreds of developers working on the same project? How do you test that your app still works - with this kind of scale? In this talk, you’ll learn about the different approaches we combined into a system used by hundreds of mobile engineers at Uber to test our native iOS and Android apps during development, at release as well as when in production. We’ll talk about what did and what did not work for us on our journey of iterating frequently and continuously improving the quality bar.

Continuous testing at scale

Gergely Orosz

Zero-bug Software, Mathematically Guaranteed

Ashley Zupkus

A great deal of confusion surrounds the concepts of release automation, continuous integration, continuous delivery, and continuous deployment. Even some industry experts are confused about the differences. How these concepts work progressively to achieve high quality software delivery is generating a lot of discussion and controversy. Bryan Linder defines the methodology, processes, and tools associated with release automation, as well as the differences between its maturity levels. Understand the benefits of more frequent, smaller releases, and the exponential risk generated by large, infrequent releases. Hear highlights of industry case studies that demonstrate the substantial speed, quality, and ROI gains of improving your release automation process. Acquire the insight and motivation needed to take the next step—from wherever you organization is now—toward full release automation. Takeaways include a glossary of terms, a continuous integration tools comparison chart, and a release automation maturity chart.

Release Automation: Better Quality, Faster Deployment, Amazing ROI

TechWell

When executing test automation at scale and continuously the value tends to decline over time, the team should follow recommended practices to keep their tests with high value. Getting the value from your test automation is fundamental for fast feedback, risk reduction and return on investment from your testing activities. Getting the value from your test automation is fundamental for fast feedback, risk reduction and return on investment from your testing activities. Once developing the test scenarios, teams cannot stop monitoring and ensuring that their tests continuously bring value, are not flaky, and can support the latest functionalities in your web and mobile apps. Teams often “forget” about their tests once they have been developed and integrated into the CI pipeline regardless of the value they bring. Key Takeaways: -How to make smart decisions regarding which test scenarios to automate? -What are the criteria for a test to get included in the CI and continuous testing pipeline? -How to continuously maintain the tests and optimize your suite so it continues to bring value? -See a live demo of smart reporting and analytics that can serve as a monitoring and test maintenance tool.

Keeping Your Continuous Test Automation Continuously Valuable

Perfecto by Perforce

How to get the most out of your CI/CD workflow using automated testing - Sauc...

twaintaylorb2b

Recently uploaded

Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil

Cara Menggugurkan Kandungan 087776558899

"Lesotho Leaps Forward: A Chronicle of Transformative Developments"

mphochane1998

Unleashing the Power of the SORA AI lastest leap

RishantSharmaFr

Generative AI or GenAI technology based PPT

bhaskargani46

Rule 1 − Check for the blocks connected in series and simplify. Rule 2 − Check for the blocks connected in parallel and simplify. Rule 3 − Check for the blocks connected in feedback loop and simplify. Rule 4 − If there is difficulty with take-off point while simplifying, shift it towards right. Rule 5 − If there is difficulty with summing point while simplifying, shift it towards left. Rule 6 − Repeat the above steps till you get the simplified form, i.e., single block.

Block diagram reduction techniques in control systems.ppt

NANDHAKUMARA10

DeepFakes presentation : brief idea of DeepFakes

MayuraD1

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ssuser89054b

Bridge Jacking Design Sample Calculation.pptx

nuruddin69

data_management_and _data_science_cheat_sheet.pdf

JiananWang21

Rums floating Omkareshwar FSPV IM_16112021.pdf

smsksolar

Motoring and generation Armature circuit equation for motoring and generation, Types of field excitations - separately excited, shunt and series. Open circuit characteristic of separately excited DC generator, back EMF with armature reaction, voltage build-up in a shunt generator, critical field resistance and critical speed. V-I characteristics and torque-speed characteristics of separately excited shunt and series motors. Speed control through armature voltage. Losses, load testing and back-to-back testing of DC machines

DC MACHINE-Motoring and generation, Armature circuit equation

BhangaleSonal

kiln thermal load.pptx kiln tgermal load

hamedmustafa094

Online Food Ordering System is proposed for simplifies the food ordering process. ThisSystem shows an user interface and update the menu with all available options so that it eases thecustomer work. Customer can choose more than one item to make an order and can view Orderdetails before logging off. The order confirmation is sent to the customer. The order is placed inthe queue and updated in the Database and returned in real time. This system assists the staff togo through the orders in real time and process it efficiently. Online food order system is mainlydesigned primarily function for use in the food delivery industry. This system will allowhotels and restaurants to increase online food ordering such type of business. The customerscan be selected food menu items just few minutes. In the modern food industries allows toquickly and easily delivery on customer place. Restaurant employees then use these ordersthrough an easy to delivery on customer place easy find out navigate graphical interface forefficient processing .

Online food ordering system project report.pdf

Kamal Acharya

STEAM NOZZLES AND TURBINES Flow of steam through nozzles, shapes of nozzles, effect of friction, critical pressure ratio, supersaturated flow - impulse and reaction principles, velocity diagram, work done and efficiency – types of compounding - governors. AIR COMPRESSORS Classification - working principle - type of compressors, work of compression with and without clearance - volumetric efficiency - isothermal and isentropic efficiency of reciprocating compressors - multistage air compressor with inter cooling.

Thermal Engineering -unit - III & IV.ppt

DineshKumar4165

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR

KOUSTAV SARKAR

Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service

meghakumariji156

Introduction to Serverless with AWS Lambda

Omar Fathy

FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads

Arindam Chakraborty, Ph.D., P.E. (CA, TX)

From customer value engagements to hands-on production support, our Services span across every stage of our customers digital transformation journey, to help ensure that every customer is successful in their adoption of our solutions. • Implementation, Upgrade, Migration, and Maintenance Services • On-Premises and On-Cloud • COTS Training Services; On-Site and Virtual • Software Support Services; Legacy and 3DEXPERIENCE • Value Engagement & Blueprinting • Specialized Consulting and Support Services • Customized Training Services • Automation and Configuration Services • Technical Resource Augmentation Services • Project Management • Know-how Training (mentoring) and Resource Augmentation

Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...

Arindam Chakraborty, Ph.D., P.E. (CA, TX)

2016EF22_0 solar project report rooftop projects

smsksolar

Recently uploaded (20)

Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil

"Lesotho Leaps Forward: A Chronicle of Transformative Developments"

Unleashing the Power of the SORA AI lastest leap

Generative AI or GenAI technology based PPT

Block diagram reduction techniques in control systems.ppt

DeepFakes presentation : brief idea of DeepFakes

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bridge Jacking Design Sample Calculation.pptx

data_management_and _data_science_cheat_sheet.pdf

Rums floating Omkareshwar FSPV IM_16112021.pdf

DC MACHINE-Motoring and generation, Armature circuit equation

kiln thermal load.pptx kiln tgermal load

Online food ordering system project report.pdf

Thermal Engineering -unit - III & IV.ppt

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR

Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service

Introduction to Serverless with AWS Lambda

FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads

Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...

2016EF22_0 solar project report rooftop projects

Presentation security automation (Selenium Camp)

1. Rollercoaster of Security Automation

2. Artem Rozumenko S o l u t i o n A r c h i t e c t 10+ years in Software testing 7+ years in non-functional testing 5+ years in Solution Architecture Preferable CI: Jenkins Preferable language: Python Preferable load tool: Gatling

3. 5 Billions US Dollars MARKET 2x Security Breaches in 2018 vs 2017 >2BPersonal records LEAKED WHAT ABOUT SECURITY ? 4 Billions US Dollars FINES CARRIER | Continuous Test Execution Platform

4. Continuous Security Test Execution Integrate security tests/scans as a quality gate of CI/CD process Security Testing Service Perform manual security tests of application Application Security Program Enable S-SDLC for the whole company SCOPE OF SECURITY TESTING CARRIER | Continuous Test Execution Platform

5. Run security scanners in your CI, what a big deal ? CARRIER | Continuous Test Execution Platform

6. RUN STATIC SCANS RUN DYNAMIC SCANS VALIDATE SCAN RESULTS VALIDATE FIXES 25%68%6%1% 85% of findings are false-positives CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS

7. CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS

8. CARRIER | Continuous Test Execution Platform WHAT WE HAVE NOW • Many products release with significant security issues that cause data leaks or service failures • Out of the box solutions mostly build for security engineers and barely suitable for CI • Scanners generate enormous amount of noise that results in complete ignorance from development

9. CARRIER | Continuous Test Execution Platform SOUNDS LIKE WE GOT A TARGET • Run Static Scan in CI as a quality gate • Make it run for less then 10 minutes • Create results that won’t be ignored by developers • Make Dynamic scans useful

10. EXPERIMENT CARRIER | Continuous Test Execution Platform • Take a public repo • Run Standard approach • Run Carrier approach • Compare results

11. CARRIER | Continuous Test Execution Platform SONAR + SpotBugs 19minutes 24Kfindings

12. CARRIER | Continuous Test Execution Platform CARRIER + SpotBugs 4.5minutes 4.5Kfindings

13. How to make results actionable with less efforts? CARRIER | Continuous Test Execution Platform

14. CARRIER | Continuous Test Execution Platform RE-PROCESSING OUTCOME • Group same type of vulnerabilities in same file • Translate findings to actions • Automatically filter false-positives • Do not convert all the valid findings into issues https://github.com/carrier-io/sast

15. This is how it works in production CARRIER | Continuous Test Execution Platform

16. CARRIER | Continuous Test Execution Platform CANONICAL DATA MODEL

17. CARRIER | Continuous Test Execution Platform DEDUPLICATION ON THE GO DEDUPLICATION GROUPING

18. CARRIER | Continuous Test Execution Platform FILTERING FALSE-POSITIVES https://github.com/reportportal/service-analyzer-equals

19. WHAT ABOUT DYNAMIC SCANS CARRIER | Continuous Test Execution Platform

20. CARRIER | Continuous Test Execution Platform THERE ARE DIFFERENT SCANS External Intruder Internal Intruder

21. EXPERIMENT CARRIER | Continuous Test Execution Platform • Take some well known site • Take single well known tool • Limit scope of vulnerabilities • Perform authenticated scan • Performance unauthenticated scan • Compare results

22. CARRIER | Continuous Test Execution Platform RESULTS External Intruder Internal Intruder 13M req 2h scan 17 findings 100% FPs 4M req 20h scan 200 findings 99% FPs

23. CARRIER | Continuous Test Execution Platform WE HAVE ANOTHER ONE Automated Tests ran through Security Tool

24. CARRIER | Continuous Test Execution Platform RESULTS Internal Intruder True Automated Intruder 200K req 25m scan 350 findings 95% FPs 4M req 20h scan 200 findings 99% FPs https://hub.docker.com/r/getcarrier/dast

25. CARRIER | Continuous Test Execution Platform

26. CARRIER | Continuous Test Execution Platform AS A SUMMARY • You should test security as a part of your delivery pipeline • Post-processing of results helps to save time on analysis • Automated tests helps to find great vulnerabilities • Complex vulnerabilities should be added to functional testing framework

27. CARRIER | Continuous Test Execution Platform THANKS https://github.com/carrier-io/sast https://github.com/carrier-io/dast https://hub.docker.com/r/getcarrier/sast https://hub.docker.com/r/getcarrier/dast

Presentation security automation (Selenium Camp)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Presentation security automation (Selenium Camp)

Similar to Presentation security automation (Selenium Camp) (20)

Recently uploaded

Recently uploaded (20)

Presentation security automation (Selenium Camp)