Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Â
Ast in CI/CD by Ofer Maor
1. Join the conversation #DevSecCon
OFER MAOR
*AST in CI/CD
Making it Work!
Director, Enterprise Solutions
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @ gmail.com
2. Speaker
⢠Enterprise Solutions @ Synopsys
⢠Over 20 Years in Cybersecurity
⢠Hacker at Heart
⢠Longtime OWASPer
⢠Pioneer of IAST
⢠DevSecOps/DevOpsSec Fan!
⢠Avid Photographer
Singapore Skyline, Feb 2017. Taken at DevSecCon Singapore!
4. Agenda
⢠Background â The *AST Landscape
⢠The CI/CD Challenge
⢠*AST Solutions for CI/CD â What works and what doesnât
⢠Building the right mix â How to make it Work!
6. Software Security is a Journey
Evolving⢠Augmenting internal teams with external resources for
scalability
⢠Identify and prioritize vulnerabilities for remediation
⢠Integrating with DevOps
TACTICAL STRATEGIC
BOLT
ON
BUILT
IN
Starting
⢠Pen testing to find vulnerabilities
⢠Compliance driven
⢠Low level testing
⢠Programmatically managing risk across your software release cycles
⢠Driving efficiencies through SDLC integration
⢠Purposeful blend of automated and manual testing processes
Optimizing
DEVELOPMENT WORKFLOW
FIND REMEDIATE PREVENT
9. SAST â Static Application Security Testing
AKA: Static Code Analysis for Security
⢠Analyzes code to identify vulnerabilities
⢠Most prevalent AST solution today
⢠Challenges
⢠Potential FPs
⢠May require tuning and configuration
⢠Hard for use for security professionals
⢠Offered in various flavors:
⢠Analysis of (uncompiled) source code
⢠Analysis of code & build
⢠Analysis of binary code
⢠Managed Service / Tool / IDE Plugin
cond2
*a = b free(a)*a = b free(a)
cond2
b = 10a = malloc(10)
cond1
10. DAST â Dynamic Application Security Testing
AKA: Web Application Scanner (Black Box)
⢠Sends HTTP tests to test running application
⢠Longest used AST technology
⢠Challenges
⢠Accuracy of results
⢠Not suited for dev â no code guidance
⢠Performance (long testing times)
⢠Offered in various delivery forms:
⢠On Premise
⢠Cloud
⢠Managed Services
⢠Included in Professional Services
?????
11. IAST â Interactive Application Security Testing
AKA: Runtime Code Analysis
⢠Runtime code analysis through instrumentation
⢠Youngest AST technology
⢠Challenges
⢠Deployment of agents on tested servers
⢠Requires integration into dev/devops environments
⢠Coverage influences by whatâs executed
⢠Comes with various âinterpretationsâ
⢠Inline/Passive IAST (Based on existing traffic)
⢠Active IAST (Including HTTP Inducer)
⢠DAST Add-on Only
⢠RASP Add-on
Database
Back End
Front End
HTTP/s
DATA WS
SQL DATA
ODBC
IAST
12. MAST â Mobile Application Security Testing
AKA: Itâs really a bunch of stuff bundled in one nameâŚ
⢠Under MAST, we can findâŚ.
⢠Server side WS analysis â with SAST/DAST/IAST/etc.
⢠Mobile code SAST
⢠Mobile binary analysis (3rd party tooâŚ)
⢠Mobile Behavioral Analysis (3rd party tooâŚ)
⢠Reputation testing
⢠SDK & Opensource
⢠MoreâŚ
⢠Challenges
⢠Broad set of problems
⢠Still evolvingâŚ
13. SCA â Software Composition Analysis
AKA: Open Source Library Scanning
⢠Searches known open source (and closed
source) components in applications
⢠Rapidly growing testing segment
⢠Challenges
⢠Additional technology on top of other *AST
⢠Very broad scope
⢠Offered in different flavors
⢠Binary Analysis for Supply Chain and 3rd Parties
⢠Source Analysis for home grown security and
licensing
⢠On-premise / Cloud options
14. How Does it All Fit?
REQUIREMENTS
& DESIGN
Architecture Risk
Analysis
Security Code
Design Analysis
Threat Modeling
TRAINING
Core Security Training
Secure Coding Training
eLearning
SAST (IDE)
SAST (Build)
SCA (Source)
IAST
IMPLEMENTATION
SAST (Managed)
Fuzz Testing
SCA (Binary)
Mobile Testing
VERIFICATION
DAST (Managed)
Pen Testing
Network Pen Testing
RELEASE
19. CD Extreme
⢠Multiple production
updates per day
⢠Multiple CI streams
⢠A/B UAT Testing
⢠Parallel testing and
deployment
⢠No place for outsiders
Source: Wikipedia
22. SAST â Static Application Security Testing
AKA: Static Code Analysis for Security
⢠Speed Instant to Hours (by Flavor)
⢠Integration IDE, Build, Binary
⢠Ease of Use Varies. Can be Complex
⢠Relevance Can be overwhelming
⢠Actionability Right on. Points to Line of Code
23. SAST Flavors
⢠IDE âSpellcheckerâ Lightweight, Instant
⢠In-IDE Incremental Pre-checkin, Minutes
⢠Integration/Build CI, Minutes to Hours
⢠Binary Analysis Post Build. Hours
⢠Managed Service External. Days
24. ⢠Speed Hours to Days
⢠Integration Not ReallyâŚ
⢠Ease of Use Requires some security skills
⢠Relevance Focus on Front end (but some FPs)
⢠Actionability Difficult.
DAST â Dynamic Application Security Testing
AKA: Web Application Scanner (Black Box)
25. ⢠Speed Instant to Hours (by Flavor)
⢠Integration Test Automation
⢠Ease of Use Easy (once deployed)
⢠Relevance Very relevant. Actual executed LoC
⢠Actionability Right on. Points to Line of Code
IAST â Interactive Application Security Testing
AKA: Runtime Code Analysis
26. IAST Flavors
⢠Inline/Passive Lightweight, Instant
Integrates with Existing Tests
⢠Active Minutes (Incremental) â Hours
Requires dedicated testing
27. ⢠Speed Minutes to Hours
⢠Integration IDE, Build, Binary
⢠Ease of Use Fairly Easy
⢠Relevance Hard to determine actual impact
⢠Actionability Not always straight forward
SCA â Software Composition Analysis
AKA: Open Source Library Scanning
29. Key Principles
⢠If You Canât Beat Them â Join Them!
⢠Automation, Automation, Automation
⢠Alt-Ctrl, Shift-Left (But not justâŚ)
⢠Multiple Technologies, Multiple Flavors, Multiple Times!
⢠Parallel Processes in Parallel Speeds
⢠Youâre Going to HAVE TO Live with some Risk
30. Risk Appetite
âAmount and type of risk
that an organization is
prepared to pursue, retain
or takeâ
Source: ISO 31000 risk management standard
31. Understanding Risk
⢠Exploitable Vulnerabilities
⢠Misc. Vulnerabilities
⢠Potentially Vulnerable Code
⢠Insecure Coding Practice
⢠Bad Coding Practice
⢠Public Front End
⢠Limited Access Front End
⢠Back End / Internal
32. Making it All Work!
⢠Use âInstant/Passiveâ solutions as much as possible
⢠In-IDE âSpell Checkerâ Static Analysis
⢠Inline IAST
⢠Define PRACTICAL policies for âHardâ and âSoftâ gates:
⢠Hard Gates â Stop the process
⢠Soft Gates â Put in motion a correction process
⢠Use âLayersâ of testing at different stages
34. Fast vs Slow
⢠Rely heavily on integrated/fast technologies
⢠Key criteria â âdoes not get in the wayâ
⢠Define practical blocking criteria â be realistic
⢠All the rest â In the backlog
35. Accept A/B Testing
⢠Gradual A/B Testing is replacing âTest Environmentsâ
⢠Manage A/B Testing exposure as part of risk management
⢠Use it! A/B Testing gives you the best test environment
⢠Create the right âRetroâ gates by risk:
⢠High â Block propagation and roll back
⢠Medium â Block propagation until fix is delivered (but donât roll back)
⢠Low â Continue propagation but with a fix following right up
36. Summary
⢠Software Security testing is complex, even more so in CI/CD
⢠Unfortunately â Thereâs no âOne Ring to Rule them Allâ
⢠You have to build your *AST workflow and pipeline:
⢠Work closely with R&D & DevOps
⢠Use multiple tools and multiple technologies
⢠Work in parallel tracks and speeds
⢠Manage your risk!
37. Join the conversation #DevSecCon
Thank You!
Questions?
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @ gmail.com
Solar Eclipse
San Francisco
2017