Put yourself in the appsec pipe - Paolo Perego - Codemotion Milan 2016
2 likes•412 views
The document presents insights on creating an application security pipeline, emphasizing the need for commitment and awareness among development and security teams. It discusses testing scenarios, tools for vulnerability assessment, and the importance of integrating security tests within the development lifecycle to keep up with rapid release cycles. Additionally, it introduces a collector tool and an orchestrator for managing security services efficiently.
Put yourself in the appsec pipe - Paolo Perego - Codemotion Milan 2016
- 1. Putyourselfinthe#appsecpipeline Paolo Perego - thesp0nge MILAN 25-26 NOVEMBER 2016
- 2. $whoami • 15 anni nell’industria #itsec • Tech blogger @codiceinsicuro • ❤ sviluppare security source code scanners (Owasp Orizon, dawnscanner) • ❤ tenere talk su temi di #appsec • Seguimi su @thesp0nge
- 3. Agenda • Talk about testing scenarios • Talk about what an appsec pipe is and what do you need to create one • Be inspired, go home and do some homework
- 7. Wedon’tdoanytest (and we are aware of it)
- 8. Wedon’tdoanytest (but I’ll love to do)
- 9. Wedosecuritytest (but I want to learn more about the pipeline)
- 12. Theunacceptablesolution… • Tests must be done: • in production environment • before going live • Testers need: • the code being frozen • some “fake” accounts • a couple of week to do the job
- 13. …foradifficulttask • Products can not delay time to market release to allow security tests • Tests must be performed on each release • Often companies do releases on a weekly basis • There are no fake accounts on a production server • Code is never on a frozen state • This applies to web properties and mobile applications • Tests are not sawn as investment
- 14. #appseccan’tbedonethisway and we’re the first talking our science to the next level
- 17. Beforewestart • We need • Commitment • An organised SDLC • A development team aware about #appsec topic • An #appsec team (with patience and some coding skills)
- 19. Thecollectortool A way for our customer to ask for services, keep track about the progress and having results back
- 20. Yourfavouritecollectionof#appsectools You may want to cover vulnerability assessment, penetration test, web application penetration test and code review at least. Keep calm and let’s go shopping.
- 21. TheOrchestrator Your customers ask for services, you need an automatic dispatcher mechanism to the appropriate tool. Of course you need also something retrieving results too.
- 22. Theticketingsystem You need something to keep track about vulnerabilities, about their history and their state.
- 24. Canaveral
- 25. AGrapebasedorchestratortoruntoolinourpipeline Very alpha - Opensource - Integrates Nmap, Dawnscanner and Owasp ZAP
- 26. Demo
- 28. Sometoolstocheck • Sinatra with Grape (create HTTP API endpoints) • Owasp ZAP (WAPT on steroids) • Owasp DeepViolet (check your SSL config) • Nexpose + nexpose gem (automate vulnerability assessment) • Brakeman/Dawnscanner (ultimate ruby code review) • Owasp Orizon (Java security code review) • Owasp GLUE gem (pipeline related tool) • Canaveral (a Grape based orchestrator for your pipeline)
- 29. Questions?
- 30. THANKS!