My Little Webap - DevOpsSec is Magic
Download as PPTX, PDF3 likes1,667 views
The document discusses the DevOpsSec approach which aims to integrate security testing into the development process through automation. It outlines how DevOpsSec can help address issues that arise from the traditional separation of development and operations teams. The document provides examples of different types of tests that can be automated, such as unit testing, performance testing, and security testing of an application's attack surface. It promotes automating as many tests as possible and sharing test automation code to continuously monitor for vulnerabilities and issues.
![[123] quality without qa](https://cdn.slidesharecdn.com/ss_thumbnails/132qualitywithoutqa-150914011521-lva1-app6892-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to My Little Webap - DevOpsSec is Magic (20)
Ad
Recently uploaded (20)
My Little Webap - DevOpsSec is Magic
- 1. My Little Webapp – DevOpsSec is Magic Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
- 3. About Me • Originally from Maine • Lived in Milwaukee, Chicago, Atlanta • Web developers since 2001 • PHP, Python, Java, Perl, Visual Basic • Kali Linux, Burpsuite, SQLMap, XSSer, etc. • Got badly hacked in 2010, been learning since • I like making good software
- 6. What if we could fix anything in 10 minutes?
- 7. With DevOpsSec, you can!
- 8. How does it feel?
- 10. Prepare for a meme filled ride.
- 13. How do we do things today?
- 17. We need to build QA and security in.
- 18. What can we do?
- 23. Dev vs. Ops
- 25. Dev vs. Ops • Devs are paid to change code, high entropy
- 26. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy
- 27. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability
- 28. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability • IE8 only supports loading 31 CSS files
- 29. "One line of code can break everything."
- 30. What do we do?
- 36. Performance • stress testing: "how many concurrent users?"
- 38. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?"
- 39. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet"
- 41. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
- 42. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
- 43. Don’t forget to DDoS yourself.
- 44. I like to DDoS myself on the weekends.
- 47. What we got:
- 49. What we want:
- 51. Code quality testing IS security testing.
- 52. Code Quality • linting, correct formatting
- 54. Code Quality • linting, correct formatting • copy + paste, easily refactor
- 55. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target
- 57. 2^6 possible code pathways
- 58. 64 possible outcomes from 1 function.
- 59. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation
- 61. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions
- 62. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues
- 63. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness
- 64. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness • mocks, speed up testing
- 66. Unit Testing
- 68. Ready to try some Unit Testing?
- 70. Unit Testing GET /users/<account_name> • happy path: "aclark" • missing entry: "aclark2" • lower bounds: "a" • upper bounds: "aaaaaaaaa" • empty: "account_name" : "" • null: (null) • fuzzing: "a2$@o9(@1"
- 72. "a2$@o9(@1" eventually becomes "a or 1=1; --"
- 77. Supported
- 78. Supported • define supported devices, resolutions, browsers, and versions
- 79. You can’t support everything:
- 81. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver
- 82. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images
- 84. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
- 85. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
- 86. Try using unsupported systems. Hopefully fail gracefully. Might even find something…
- 87. Hint: Try setting your browser User-Agent to iPhone 3.0 when visiting news websites :P
- 91. Deployable • atomic base box VM
- 93. Deployable • atomic base box VM • provisioning scripts
- 95. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc.
- 96. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list
- 98. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
- 100. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
- 107. Monitoring • request origin
- 108. If you’re a ‘Murican only company, why are you letting your server talk to Russia?
- 109. Monitoring • request origin • request scans
- 112. Monitoring • request origin • request scans • invalid requests
- 114. Monitoring • request origin • request scans • invalid requests • request flood
- 116. Monitoring • request origin • request scans • invalid requests • request flood • response flood
- 118. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime
- 119. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency
- 120. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
- 121. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
- 122. My startup has < 100 users. It gets scanned and attacked every day.
- 123. Your live servers are getting hammered all the time.
- 127. Security • what to test?
- 128. This is your attack surface:
- 132. Security • what to test? • how to test?
- 134. Security • what to test? • how to test? • monitor issues
- 136. Security • what to test? • how to test? • monitor issues • aggregate reports
- 137. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues
- 138. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
- 139. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
- 140. Give and request automated tests, not PDF docs.
- 141. Write "Malicious User Stories"
- 143. IF YOU SEE SOMETHING, SAY SOMETHING.
- 144. ... but, at least write a test.
- 146. DevOpsSec is free, you can do it today.
- 147. Automation does not replace people.
- 151. Repeat after me:
- 152. "I am DevOpsSec ..."
- 153. "... and so can you!"
- 155. Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic github.com/apolloclark/py-jenkins-ci