[Poland] SecOps live cooking with OWASP appsec tools

•

2 gefällt mir•462 views

OWASP EEE

SecOps live cooking with OWASP appsec tools. Maciej Lasyk

Internet

Join Fedora Infrastructure!
→ learn Ansible
→ join the security team!
→ use Fedora Security Lab (spin)
http://fedoraproject.org/en/join-fedora

Agenda?
→about delivery pipeline
→demos
→manual testing
→automation
→delivery pipeline

DEV INTEGRATION TEST PROD
Delivery Pipeline & security testing

DEV INTEGRATION TEST PROD
Feedback loop!
Delivery Pipeline!

DEV INTEGRATION TEST PROD
Feedback loop!
Delivery Pipeline!
→ UAT
→ Performance
→ Security

DEV INTEGRATION
TEST
containers
PROD
Feedback loop!
Delivery Pipeline!
→ UAT
→ Performance
→ Security
Experimentation gives you improvements!
Continuous security scanning

→ shortening the cycle time
→ viability of scanning windows
→ burndown charts - security testing slice is usually tiny
→ security testing has to be faster
→ providing instant feedback
→ CD is a goal
Delivery Pipeline!

Manual testing demo #1
OWASP webgoat, OWASP hackademic story
test-app
vs
OWASP ZAP

Manual testing demo #2
Fedora Pagure
vs
OWASP Dependency Check

Automation tools
→ Ansible (www.ansible.com)
→ Jenkins (jenkins-ci.org)
→ GoCD (www.go.cd)

Automation demo #1
Installing Jenkins w/Ansible

Linux Containers - Docker
→ Docker?
→ Docker Registry

Automation demo #2
OWASP ZAP && Dependency Check + Docker

Automation demo #3
OWASP ZAP && Dependency Check + Docker
+
Jenkins

Automation demo #4
Containerization of security tools

Automation demo #5
What about false positives / negatives?

Automation demo #6
Full delivery pipeline

Summary
Should we replace classical pentests with automation?

Empfohlen

FrenchKit 2017: Server(less) SwiftChris Bailey

OpenStack Contribution WorkflowSean McGinnis

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon

Vagrant - the essence of DevOps in a toolPaul Stack

LasCon 2014 DevOoops Chris Gates

The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014Puppet

DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon

Tests your pipeline might be missingGene Gotimer

Empfohlen

FrenchKit 2017: Server(less) SwiftChris Bailey

OpenStack Contribution WorkflowSean McGinnis

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon

Vagrant - the essence of DevOps in a toolPaul Stack

LasCon 2014 DevOoops Chris Gates

The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014Puppet

DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon

Tests your pipeline might be missingGene Gotimer

InSpec Workshop DevSecCon 2017Mandi Walls

Your first patch to open stackAkanksha Agrawal

Microservices testing in distributed systemsIsa Vilacides

Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico

CI/CD Pipeline to Deploy and Maintain an OpenStack IaaS CloudSimon McCartney

CI/CD for React NativeJoao Marins

How to successfully migrate to Bazel from Maven or Gradle - Riga Dev DaysNatan Silnitsky

DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates

Releasing the monolith on a daily basis - CodeMashVincent Kok

Live Testing A Legacy AppColdFusionConference

DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon

Rise of the Machines - Automate your DevelopmentSven Peters

Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia

CI CD BasicsPrabhu Ramkumar

AWS Survival GuideKen Johnson

Open Canary - novahackersChris Gates

OpenSlava 2015 When DevOps HurtsAntons Kranga

Arquillian : An introductionVineet Reynolds

Power Up Your Build - Omer van Kloeten @ Wix 2018-04Omer van Kloeten

[Russia] Bugs -> max, time <= TOWASP EEE

Building an Open Source AppSec PipelineMatt Tesauro

Weitere ähnliche Inhalte

Was ist angesagt?

InSpec Workshop DevSecCon 2017Mandi Walls

Your first patch to open stackAkanksha Agrawal

Microservices testing in distributed systemsIsa Vilacides

Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico

CI/CD Pipeline to Deploy and Maintain an OpenStack IaaS CloudSimon McCartney

CI/CD for React NativeJoao Marins

How to successfully migrate to Bazel from Maven or Gradle - Riga Dev DaysNatan Silnitsky

DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates

Releasing the monolith on a daily basis - CodeMashVincent Kok

Live Testing A Legacy AppColdFusionConference

DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon

Rise of the Machines - Automate your DevelopmentSven Peters

Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia

CI CD BasicsPrabhu Ramkumar

AWS Survival GuideKen Johnson

Open Canary - novahackersChris Gates

OpenSlava 2015 When DevOps HurtsAntons Kranga

Arquillian : An introductionVineet Reynolds

Power Up Your Build - Omer van Kloeten @ Wix 2018-04Omer van Kloeten

Was ist angesagt? (20)

InSpec Workshop DevSecCon 2017

Your first patch to open stack

Microservices testing in distributed systems

Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...

CI/CD Pipeline to Deploy and Maintain an OpenStack IaaS Cloud

CI/CD for React Native

How to successfully migrate to Bazel from Maven or Gradle - Riga Dev Days

DevOOPS: Attacks and Defenses for DevOps Toolchains

Releasing the monolith on a daily basis - CodeMash

Live Testing A Legacy App

DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

Rise of the Machines - Automate your Development

Badge Poser v3.0 - A DevOps Journey

CI CD Basics

AWS Survival Guide

Open Canary - novahackers

OpenSlava 2015 When DevOps Hurts

Arquillian : An introduction

Power Up Your Build - Omer van Kloeten @ Wix 2018-04

Andere mochten auch

[Russia] Bugs -> max, time <= TOWASP EEE

Building an Open Source AppSec PipelineMatt Tesauro

Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz

8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack

Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter

2014 11-06-sonarqube-asfws-141110031042-conversion-gate01Cyber Security Alliance

Managing Security in External Software Dependenciesthariyarox

27 jan 2012[1]Biblioteca Escolar Aeob

Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron

Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz

Continuous Security - TCCCWendy Istvanick

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro

AppSec Pipelines and Event based SecurityMatt Tesauro

Dependency checkDavid Karlsen

AppSec is Eating SecurityAlex Stamos

Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva

Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype

Managing third party librariesn|u - The Open Security Community

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham

News Bytes - December 2015n|u - The Open Security Community

Andere mochten auch (20)

[Russia] Bugs -> max, time <= T

Building an Open Source AppSec Pipeline

Using jira to manage risks v1.0 - owasp app sec eu - june 2016

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation

2014 11-06-sonarqube-asfws-141110031042-conversion-gate01

Managing Security in External Software Dependencies

27 jan 2012[1]

Building an AppSec Pipeline: Keeping your program, and your life, sane

Veracode Automation CLI (using Jenkins for SDL integration)

Continuous Security - TCCC

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

AppSec Pipelines and Event based Security

Dependency check

AppSec is Eating Security

Hiding in Plain Sight: The Danger of Known Vulnerabilities

Live 2014 Survey Results: Open Source Development and Application Security Su...

Managing third party libraries

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

News Bytes - December 2015

Ähnlich wie [Poland] SecOps live cooking with OWASP appsec tools

4Developers 2015: Continuous Security in DevOps - Maciej LasykPROIDEA

Continuous Security in DevOpsMaciej Lasyk

J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"Daniel Bryant

AppSec California 2016 - Making Security AgileOleg Gryb

Continuous Delivery, Continuous Integration Amazon Web Services

Accelerating Innovation with DevOps on AWSAmazon Web Services

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav

Continuous DeliveryAndrzej Grzesik

Continuous Delivery with Jenkins declarative pipeline XPDays-2018-12-08Борис Зора

Dev ops with smell v1.2Antons Kranga

Stop Being Lazy and Test Your SoftwareLaura Frank Tacho

DAST в CI/CD, Ольга СвиридоваMail.ru Group

DCSF 19 Building Your Development Pipeline Docker, Inc.

Safe deployments with Blue-Green and SpinnakerMihnea Dobrescu-Balaur

Cloud Foundry, Spring and VaadinJoshua Long

Prepare to defend thyself with Blue/GreenSonatype

All Day DevOps 2016 Fabian - Defending Thyself with Blue GreenFab L

Testing as a containerIrfan Ahmad

Automating OWASP Tests in your CI/CDrkadayam

Uber Mobility Meetup: Mobile TestingApple Chow

Ähnlich wie [Poland] SecOps live cooking with OWASP appsec tools (20)

4Developers 2015: Continuous Security in DevOps - Maciej Lasyk

Continuous Security in DevOps

J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"

AppSec California 2016 - Making Security Agile

Continuous Delivery, Continuous Integration

Accelerating Innovation with DevOps on AWS

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Continuous Delivery

Continuous Delivery with Jenkins declarative pipeline XPDays-2018-12-08

Dev ops with smell v1.2

Stop Being Lazy and Test Your Software

DAST в CI/CD, Ольга Свиридова

DCSF 19 Building Your Development Pipeline

Safe deployments with Blue-Green and Spinnaker

Cloud Foundry, Spring and Vaadin

Prepare to defend thyself with Blue/Green

All Day DevOps 2016 Fabian - Defending Thyself with Blue Green

Testing as a container

Automating OWASP Tests in your CI/CD

Uber Mobility Meetup: Mobile Testing

Mehr von OWASP EEE

[Austria] ZigBee exploitedOWASP EEE

[Austria] Security by DesignOWASP EEE

[Austria] How we hacked an online mobile banking TrojanOWASP EEE

[Poland] It's only about frontendOWASP EEE

[Cluj] Turn SSL ONOWASP EEE

[Cluj] Information Security Through GamificationOWASP EEE

[Cluj] CSP (Content Security Policy)OWASP EEE

[Cluj] A distributed - collaborative client certification systemOWASP EEE

[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE

[Russia] MySQL OOB injectionsOWASP EEE

[Russia] Give me a stable inputOWASP EEE

[Russia] Building better product securityOWASP EEE

[Lithuania] I am the cavalryOWASP EEE

[Lithuania] Cross-site request forgery: ways to exploit, ways to preventOWASP EEE

[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE

[Lithuania] Introduction to threat modelingOWASP EEE

[Hungary] I play Jack of Information DisclosureOWASP EEE

[Hungary] Survival is not mandatory. The air force one has departured are you...OWASP EEE

[Hungary] Secure Software? Start appreciating your developers!OWASP EEE

[Bucharest] Your intents are dirty, droid!OWASP EEE

Mehr von OWASP EEE (20)

[Austria] ZigBee exploited

[Austria] Security by Design

[Austria] How we hacked an online mobile banking Trojan

[Poland] It's only about frontend

[Cluj] Turn SSL ON

[Cluj] Information Security Through Gamification

[Cluj] CSP (Content Security Policy)

[Cluj] A distributed - collaborative client certification system

[Russia] Node.JS - Architecture and Vulnerabilities

[Russia] MySQL OOB injections

[Russia] Give me a stable input

[Russia] Building better product security

[Lithuania] I am the cavalry

[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent

[Lithuania] DigiCerts and DigiID to Enterprise apps

[Lithuania] Introduction to threat modeling

[Hungary] I play Jack of Information Disclosure

[Hungary] Survival is not mandatory. The air force one has departured are you...

[Hungary] Secure Software? Start appreciating your developers!

[Bucharest] Your intents are dirty, droid!

Kürzlich hochgeladen

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC

Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2

Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies

Real Men Wear Diapers T Shirts sweatshirtrahman018755

"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014

APNIC Updates presented by Paul Wilson at ARIN 53APNIC

20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair

Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156

20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1

20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair

2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg

PowerDirector Explination Process...pptxgalaxypingy

20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair

Kürzlich hochgeladen (20)

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Best SEO Services Company in Dallas | Best SEO Agency Dallas

Real Men Wear Diapers T Shirts sweatshirt

"Boost Your Digital Presence: Partner with a Leading SEO Agency"

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...

APNIC Updates presented by Paul Wilson at ARIN 53

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf

Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf

20240508 QFM014 Elixir Reading List April 2024.pdf

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...

PowerDirector Explination Process...pptx

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf

[Poland] SecOps live cooking with OWASP appsec tools

1. SecOps live cooking with OWASP appsec tools Maciej Lasyk OWASP EEE – Kraków 2015-10-06

2. Join Fedora Infrastructure! → learn Ansible → join the security team! → use Fedora Security Lab (spin) http://fedoraproject.org/en/join-fedora

3. Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline

4. Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline

5. Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline

6. Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline

7. Agenda? →about delivery pipeline →demos →manual testing →automation →delivery pipeline

8. DEV INTEGRATION TEST PROD Delivery Pipeline & security testing

9. DEV INTEGRATION TEST PROD Feedback loop! Delivery Pipeline!

10. DEV INTEGRATION TEST PROD Feedback loop! Delivery Pipeline! → UAT → Performance → Security

11. DEV INTEGRATION TEST containers PROD Feedback loop! Delivery Pipeline! → UAT → Performance → Security Experimentation gives you improvements! Continuous security scanning

12. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

13. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

14. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

15. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

16. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

17. → shortening the cycle time → viability of scanning windows → burndown charts - security testing slice is usually tiny → security testing has to be faster → providing instant feedback → CD is a goal Delivery Pipeline!

18.

19. Manual testing demo #1 OWASP webgoat, OWASP hackademic story test-app vs OWASP ZAP

20. Manual testing demo #1 OWASP webgoat, OWASP hackademic story test-app vs OWASP ZAP

21. Manual testing demo #2 Fedora Pagure vs OWASP Dependency Check

22. Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)

23. Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)

24. Automation tools → Ansible (www.ansible.com) → Jenkins (jenkins-ci.org) → GoCD (www.go.cd)

25. Automation demo #1 Installing Jenkins w/Ansible

26. Linux Containers - Docker → Docker? → Docker Registry

27. Linux Containers - Docker → Docker? → Docker Registry

28. Automation demo #2 OWASP ZAP && Dependency Check + Docker

29. Automation demo #3 OWASP ZAP && Dependency Check + Docker + Jenkins

30. Automation demo #4 Containerization of security tools

31. Docker inside Docker? Pros and cons

32. Automation demo #5 What about false positives / negatives?

33. Automation demo #6 Full delivery pipeline

34. Summary Should we replace classical pentests with automation?

35. SecOps live cooking with OWASP appsec tools Maciej Lasyk OWASP EEE – Kraków 2015-10-06