Add Security Testing Tools to Your Delivery Pipeline

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene

Add Security Testing Tools to Your Delivery

PipelineGene Gotimer

Senior Architect


About Coveros• Coveros builds security-critical applications using agile methods.• Coveros Services• Agile transformations• Agile development and testing• DevOps and continuous integration• Application security analysis

• Agile & Security training• Government qualifications• DCAA approved rates and accounting• TS facility clearance

Areas of Expertise


Select Clients


Security Testing


Information Security• Information security means protecting information and information

systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

• The key concepts of information security include:• Confidentiality• Integrity• Availability• + Authenticity• + Non-Repudiation


Security Testing• Often put off until late or ignored completely

Fix security issues and delay

release?

Release on time and accept

security risks?


Return on Investment

“Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.”

-- Bruce Schneier, Schneier on Security

https://www.schneier.com/blog/archives/2008/09/security_roi_1.html




Security in the Delivery Pipeline


Security Tools

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

-- Bruce Schneier, Secrets & Lies


Security Testing Process

1. Use tools to help detect the obvious security problems2. Remediate3. Search for less obvious security problems4. Repeat

Better security process

Fewer obvious security issues Better security

Time to find less obvious

security issues


Incorporate Security Testing

Do just enough of each type of testing

early in the pipeline to determine if

further testing is justified.


Tools to Consider Adding to the

Process


It is easier to protect less

mvn dependency:tree

mvn dependency:analyze

mvn com.ning.maven.plugins:maven-dependency-versions-check-plugin


Poor quality code is harder to maintain

… and harder to secure


Make sure your tests actually testMutation testing


Keep libraries up-to-date


Negative testing

User role testing… what should users not be able to do?


Use a proxy

OWASP ZAP… and piggy-back on functional tests

passive proxyactive scanner

fuzzer


Repeatable, reliable deployments… and test that through practice


Audit yourself


Scan the web application


Scan the web server configuration


Scan the system… before and after installing software


Scan all the systems… don’t forget the infrastructure


Keep packages up-to-date


Test performance… even if you just watch the trends


Test the database… for security and performance


Protect against hackers … even on development and test systems


Continuously improve

A little better is still better.

Keep improving.

… and don’t expect perfectly secure


Find more tools


Questions?

Gene [email protected]

@CoverosGene

Add Security Testing Tools to Your Delivery Pipeline

Software

Transcript of Add Security Testing Tools to Your Delivery Pipeline