Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015

422 Aufrufe

Veröffentlicht am

Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015

  1. 1. Ignite Session DevOpsDays TLV 2015
  2. 2. Nir Koren DevOps Tech Lead, SAP Labs Israel SECURITY TESTS as part of CONTINUOUS INTEGRATION
  3. 3. DevOps Tech Lead, SAP Labs Israel WHOAMI WHOAREWE https://il.linkedin.com/in/nirkoren https://www.facebook.com/koren.nir @KorenNir @nir_koren SAP HANA Cloud Portal solution
  4. 4. FIXING A BUG COSTS Coding Unit Test QA Testing Field Test Post release 25 $ 16,000 $ 1,000 $ AppliedSoftwareMeasurement,CapersJones1996
  5. 5. NORMALLY WE RUN STATIC (MILESTONE) DYNAMIC (QUARTERLY)
  6. 6. DEV NEEDS FAST FEEDBACK TO BE AGILED FREQUENT SCANS
  7. 7. WE PROVIDES FULL AUTOMATION REPORTS & NOTIFICATIONS TRANSPERENCY
  8. 8. Identify the vulnerabilities www.agilerecord.com Define the important to be addressed
  9. 9. Transparency in Continuous Integration www.agilerecord.com Make sure everyone knows the status
  10. 10. Automated Processes www.agilerecord.com Find a way to automate everything you can
  11. 11. Automate reporting and notifications www.agilerecord.com Push relevant info automatically to all
  12. 12. SECURITY KEYPLAYERS IBM AppScan STATIC TOOLS DYNAMIC TOOLS
  13. 13. CheckMarx AppScan Fortify RESULTS ANALYSIS Build the Dev Deploy AUT Various Tests EXPOSE DATASECURITYNIGHTLYSCM IMPLEMENTATION
  14. 14. IBM AppScan implementation Create a new scan Add your application URL Configure Policy and details Live System URL and Login details Predefined scan policy and scan configuration
  15. 15. HP Fortify implementation Create a new scan On local server Upload the FPR To F360 server Scan and Audit On F360 server Generate Reports PDF and XML
  16. 16. implementation Connect to my project On my local server Create a scan On Cx Central server CheckMarx Jenkins plugin Scan and Upload On my local server Scan and report On Cx Central server Generate Reports PDF and XML bi-directional
  17. 17. HTTP XML Exposed to all
  18. 18. HTTP XML Exposed to all
  19. 19. The status contains links and info (internally developed) Link to the PDF report Relevant info from the scan Status by our definition
  20. 20. Everyone knows the status. Always. Both product and implementation teams are updated New issues fixed immediately We never spend time for security fixes Security awareness in our group

×