Merging Security with DevOps - An AppSec Perspective
1. Merging Security and DevOps - A
Tactical and Practical View
Abhay Bhargav - CTO, we45
2. abhaybhargav abhaybhargavwe45
Yours Truly
• Co-author of Secure Java For Web Application
Development
• Author of PCI Compliance: A Definitive Guide
• Speaker at OWASP Conferences worldwide
• Avid Pythonista and AppSec Automation
Junkie
• Specialization in Web Application Security and
Security Testing
• Lead Trainer - DevSecOps Workshop
5. What is DevOps?
• Key Objective - Harmonize IT Operations by
working with Developers and Ops
seamlessly
• Rely on processes and automation to
achieve higher throughput - Continuous
Delivery
12. abhaybhargav abhaybhargavwe45
Why?
• Penetration Testing - Annual/Bi-annual/Quarterly
- Does not quite catch up with Application changes
• Manual Penetration Testing does not scale
• You never seem to fix security issues
• Vulnerability Scanners only find 30% of the actual
security issues with your application
• Static Code Analysis finds only 40% of the actual
vulnerabilities in your application
16. abhaybhargav abhaybhargavwe45
The Need of the Hour….
To Find and Fix
Security Bugs early
and often
Security to
integrate with your
Agile Development
Security to seamlessly
work with your
Continuous Delivery
Pipeline
17. abhaybhargav abhaybhargavwe45
CI/CD Pipeline
Trigger ARA
Trigger manual code review
Email notifications
Configuration review
Trigger threat modelling
Run SAST tools
Automatic security testing
Gather metrics
Break the build
Compile and build code
SCA
Risk based security testing
Gather metrics
Break the build
Comprehensive SAST
Pre-commit checks
Commit-time checks
Build-time checks
19. abhaybhargav abhaybhargavwe45
Security in DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
Threat
modeling
SAST
Security - Composition
DAST
IAST
Security in
IaC
Security monitoring
& attack detection
20. Our Approach Today
• A View of DAST in the Pipeline
• Tool of Choice: OWASP ZAP
• with:
• Jenkins
• Customized Python Scripts
• ElasticSearch/Redis
• Objective: Explore Automated DAST Testing
Approaches with OWASP ZAP and its Python
API
21. Why OWASP ZAP?
• Free and Open Source Web Application
Vulnerability Scanner
• Feature-Rich, well supported, with several
contributors
• Community Support - Plugins, Add-ons, etc.
• Documentation - Better than most scanners
out there
• Great API and Scriptable Scanner
34. abhaybhargav abhaybhargav
Custom Scripting Framework
• Great Results from:
• External Pentests
• Bug Bounties
• Internal Pentests and Reviews
• Created as Custom Scripts
• Loaded and run as part of the pipeline
36. OWASP ZAP - Scripting Framework
• Active Rules => Scripts invoked during Active Scan
• Authentication Scripts => Scripts invoked to facilitate
authentication for a Context
• Fuzzer Processors => Scripts invoked after Fuzzers are run
with ZAP
• HTTPSender => Scripts invoked against every request/
response received by ZAP
• Proxy => Runs inline and acts on all requests and responses
• Targeted Rules => Invoked on specific urls or on manual
start only
• Standalone => Invoked manually
• Passive Rules => Passive Scanning Rules