SlideShare una empresa de Scribd logo

My Little Webap - DevOpsSec is Magic

Descargar como PPTX, PDF
Apollo Clark
Apollo Clark

Showing how to incorporate Dev, Ops, QA, and Security into the software development lifecycle.

Tecnología
1 de 162
My Little Webapp – DevOpsSec is Magic Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
About Me • Originally from Maine • Lived in Milwaukee, Chicago, Atlanta • Web developers since 2001 • PHP, Python, Java, Perl, Visual Basic • Kali Linux, Burpsuite, SQLMap, XSSer, etc. • Got badly hacked in 2010, been learning since • I like making good software
What if we could fix anything in 10 minutes?
With DevOpsSec, you can!
How does it feel?
Prepare for a meme filled ride.
How do we do things today?
We need to build QA and security in.
What can we do?
Dev vs. Ops
Dev vs. Ops • Devs are paid to change code, high entropy
Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy
Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability
Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability • IE8 only supports loading 31 CSS files
"One line of code can break everything."
What do we do?
Climbing the Pyramid
Performance • stress testing: "how many concurrent users?"
Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?"
Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet"
Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
Don’t forget to DDoS yourself.
I like to DDoS myself on the weekends.
What we got:
What we want:
Code quality testing IS security testing.
Code Quality • linting, correct formatting
Code Quality • linting, correct formatting • copy + paste, easily refactor
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target
2^6 possible code pathways
64 possible outcomes from 1 function.
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness
Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness • mocks, speed up testing
Unit Testing
Ready to try some Unit Testing?
Unit Testing GET /users/<account_name> • happy path: "aclark" • missing entry: "aclark2" • lower bounds: "a" • upper bounds: "aaaaaaaaa" • empty: "account_name" : "" • null: (null) • fuzzing: "a2$@o9(@1"
"a2$@o9(@1" eventually becomes "a or 1=1; --"
Supported
Supported • define supported devices, resolutions, browsers, and versions
You can’t support everything:
Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver
Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images
Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
Try using unsupported systems. Hopefully fail gracefully. Might even find something…
Hint: Try setting your browser User-Agent to iPhone 3.0 when visiting news websites :P
Deployable • atomic base box VM
Deployable • atomic base box VM • provisioning scripts
Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc.
Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list
Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
My personal websites:
Monitoring • request origin
If you’re a ‘Murican only company, why are you letting your server talk to Russia?
Monitoring • request origin • request scans
Monitoring • request origin • request scans • invalid requests
Monitoring • request origin • request scans • invalid requests • request flood
Monitoring • request origin • request scans • invalid requests • request flood • response flood
Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime
Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency
Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
My startup has < 100 users. It gets scanned and attacked every day.
Your live servers are getting hammered all the time.
Security • what to test?
This is your attack surface:
Security • what to test? • how to test?
Security • what to test? • how to test? • monitor issues
Security • what to test? • how to test? • monitor issues • aggregate reports
Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues
Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
Give and request automated tests, not PDF docs.
Write "Malicious User Stories"
IF YOU SEE SOMETHING, SAY SOMETHING.
... but, at least write a test.
DevOpsSec is free, you can do it today.
Automation does not replace people.
Automation is people.
Repeat after me:
"I am DevOpsSec ..."
"... and so can you!"
Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic github.com/apolloclark/py-jenkins-ci
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic

Recomendados

Reactive All the Way Down the Stack
Reactive All the Way Down the StackReactive All the Way Down the Stack
Reactive All the Way Down the Stack
Steve Pember
 
Greach 2018: Surviving Microservices
Greach 2018: Surviving MicroservicesGreach 2018: Surviving Microservices
Greach 2018: Surviving Microservices
Steve Pember
 
Cloud tools
Cloud toolsCloud tools
Cloud tools
John McCaffrey
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
Ben McCormick
 
Ruby performance - The low hanging fruit
Ruby performance - The low hanging fruitRuby performance - The low hanging fruit
Ruby performance - The low hanging fruit
Bruce Werdschinski
 
Selenium
SeleniumSelenium
Selenium
Bryan Mikaelian
 
Cvcc performance tuning
Cvcc performance tuningCvcc performance tuning
Cvcc performance tuning
John McCaffrey
 
improving the performance of Rails web Applications
improving the performance of Rails web Applicationsimproving the performance of Rails web Applications
improving the performance of Rails web Applications
John McCaffrey
 

Recomendados

Reactive All the Way Down the Stack
Reactive All the Way Down the StackReactive All the Way Down the Stack
Reactive All the Way Down the Stack
Steve Pember
 
Greach 2018: Surviving Microservices
Greach 2018: Surviving MicroservicesGreach 2018: Surviving Microservices
Greach 2018: Surviving Microservices
Steve Pember
 
Cloud tools
Cloud toolsCloud tools
Cloud tools
John McCaffrey
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
Ben McCormick
 
Ruby performance - The low hanging fruit
Ruby performance - The low hanging fruitRuby performance - The low hanging fruit
Ruby performance - The low hanging fruit
Bruce Werdschinski
 
Selenium
SeleniumSelenium
Selenium
Bryan Mikaelian
 
Cvcc performance tuning
Cvcc performance tuningCvcc performance tuning
Cvcc performance tuning
John McCaffrey
 
improving the performance of Rails web Applications
improving the performance of Rails web Applicationsimproving the performance of Rails web Applications
improving the performance of Rails web Applications
John McCaffrey
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
 
DevOps in the Real World
DevOps in the Real WorldDevOps in the Real World
DevOps in the Real World
Max Yermakhanov
 
Manage your environment with DSC
Manage your environment with DSCManage your environment with DSC
Manage your environment with DSC
Gian Maria Ricci
 
Node.JS: Do you know the dependency of your dependencies dependency
Node.JS: Do you know the dependency of your dependencies dependencyNode.JS: Do you know the dependency of your dependencies dependency
Node.JS: Do you know the dependency of your dependencies dependency
Wim Selles
 
Hello world - intro to node js
Hello world - intro to node jsHello world - intro to node js
Hello world - intro to node js
Refresh Annapolis Valley
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS
Amazon Web Services
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
Avi Kedar
 
In-house web automation?
In-house web automation?In-house web automation?
In-house web automation?
Adam Christian
 
A tale of 3 databases
A tale of 3 databasesA tale of 3 databases
A tale of 3 databases
Chris Skardon
 
High Availability and Scalability: Too Expensive! Architectures for Future E...
High Availability and Scalability: Too Expensive! Architectures for Future E...High Availability and Scalability: Too Expensive! Architectures for Future E...
High Availability and Scalability: Too Expensive! Architectures for Future E...
Eberhard Wolff
 
Meet the Selenium Grid
Meet the Selenium GridMeet the Selenium Grid
Meet the Selenium Grid
Alexey Nikolaenko
 
Windy cityrails performance_tuning
Windy cityrails performance_tuningWindy cityrails performance_tuning
Windy cityrails performance_tuning
John McCaffrey
 
Cypress workshop for JSFoo 2019
Cypress workshop for JSFoo 2019Cypress workshop for JSFoo 2019
Cypress workshop for JSFoo 2019
Biswajit Pattanayak
 
Cloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyondCloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyond
Kunal Johar
 
Infrastructure for Decision Makers
Infrastructure for Decision MakersInfrastructure for Decision Makers
Infrastructure for Decision Makers
Eric Lubow
 
Micro Service – The New Architecture Paradigm
Micro Service – The New Architecture ParadigmMicro Service – The New Architecture Paradigm
Micro Service – The New Architecture Paradigm
Eberhard Wolff
 
[123] quality without qa
[123] quality without qa[123] quality without qa
[123] quality without qa
NAVER D2
 
SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
Barry Abrahamson
 
Release the Monkeys ! Testing in the Wild at Netflix
Release the Monkeys ! Testing in the Wild at NetflixRelease the Monkeys ! Testing in the Wild at Netflix
Release the Monkeys ! Testing in the Wild at Netflix
Gareth Bowles
 
Inside Wordnik's Architecture
Inside Wordnik's ArchitectureInside Wordnik's Architecture
Inside Wordnik's Architecture
Tony Tam
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
Sonatype
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
Logicaltrust pl
 

Más contenido relacionado

La actualidad más candente

Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
Avi Kedar
 
Cloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyondCloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyond
Kunal Johar
 

La actualidad más candente (20)

WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
DevOps in the Real World
DevOps in the Real WorldDevOps in the Real World
DevOps in the Real World
 
Manage your environment with DSC
Manage your environment with DSCManage your environment with DSC
Manage your environment with DSC
 
Node.JS: Do you know the dependency of your dependencies dependency
Node.JS: Do you know the dependency of your dependencies dependencyNode.JS: Do you know the dependency of your dependencies dependency
Node.JS: Do you know the dependency of your dependencies dependency
 
Hello world - intro to node js
Hello world - intro to node jsHello world - intro to node js
Hello world - intro to node js
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
 
In-house web automation?
In-house web automation?In-house web automation?
In-house web automation?
 
A tale of 3 databases
A tale of 3 databasesA tale of 3 databases
A tale of 3 databases
 
High Availability and Scalability: Too Expensive! Architectures for Future E...
High Availability and Scalability: Too Expensive! Architectures for Future E...High Availability and Scalability: Too Expensive! Architectures for Future E...
High Availability and Scalability: Too Expensive! Architectures for Future E...
 
Meet the Selenium Grid
Meet the Selenium GridMeet the Selenium Grid
Meet the Selenium Grid
 
Windy cityrails performance_tuning
Windy cityrails performance_tuningWindy cityrails performance_tuning
Windy cityrails performance_tuning
 
Cypress workshop for JSFoo 2019
Cypress workshop for JSFoo 2019Cypress workshop for JSFoo 2019
Cypress workshop for JSFoo 2019
 
Cloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyondCloud fail scaling to infinity but not beyond
Cloud fail scaling to infinity but not beyond
 
Infrastructure for Decision Makers
Infrastructure for Decision MakersInfrastructure for Decision Makers
Infrastructure for Decision Makers
 
Micro Service – The New Architecture Paradigm
Micro Service – The New Architecture ParadigmMicro Service – The New Architecture Paradigm
Micro Service – The New Architecture Paradigm
 
[123] quality without qa
[123] quality without qa[123] quality without qa
[123] quality without qa
 
SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
 
Release the Monkeys ! Testing in the Wild at Netflix
Release the Monkeys ! Testing in the Wild at NetflixRelease the Monkeys ! Testing in the Wild at Netflix
Release the Monkeys ! Testing in the Wild at Netflix
 
Inside Wordnik's Architecture
Inside Wordnik's ArchitectureInside Wordnik's Architecture
Inside Wordnik's Architecture
 

Destacado

Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
Sonatype
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2
Zensar Technologies Ltd.
 
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Akond Rahman
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Christian Schneider
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Sonatype
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 

Destacado (20)

Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Devops security
Devops securityDevops security
Devops security
 
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
 
Security, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - PrintSecurity, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - Print
 
DevOps and IT security
DevOps and IT securityDevOps and IT security
DevOps and IT security
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 

Similar a My Little Webap - DevOpsSec is Magic

Beyond DevOps - How Netflix Bridges the Gap
Beyond DevOps - How Netflix Bridges the GapBeyond DevOps - How Netflix Bridges the Gap
Beyond DevOps - How Netflix Bridges the Gap
Josh Evans
 
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 

Similar a My Little Webap - DevOpsSec is Magic (20)

Beyond DevOps - How Netflix Bridges the Gap
Beyond DevOps - How Netflix Bridges the GapBeyond DevOps - How Netflix Bridges the Gap
Beyond DevOps - How Netflix Bridges the Gap
 
33rd degree
33rd degree33rd degree
33rd degree
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)
 
Prometheus lightning talk (Devops Dublin March 2015)
Prometheus lightning talk (Devops Dublin March 2015)Prometheus lightning talk (Devops Dublin March 2015)
Prometheus lightning talk (Devops Dublin March 2015)
 
5 Steps on the Way to Continuous Delivery
5 Steps on the Way to Continuous Delivery5 Steps on the Way to Continuous Delivery
5 Steps on the Way to Continuous Delivery
 
Using Nagios with Chef
Using Nagios with ChefUsing Nagios with Chef
Using Nagios with Chef
 
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
(APP307) Leverage the Cloud with a Blue/Green Deployment Architecture | AWS r...
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDX
 
Testing sync engine
Testing sync engineTesting sync engine
Testing sync engine
 
Tdd using Jasmine and karma
Tdd using Jasmine and karmaTdd using Jasmine and karma
Tdd using Jasmine and karma
 
TDD for APIs @ Europython 2015, Bilbao by Michael Kuehne
TDD for APIs @ Europython 2015, Bilbao by Michael KuehneTDD for APIs @ Europython 2015, Bilbao by Michael Kuehne
TDD for APIs @ Europython 2015, Bilbao by Michael Kuehne
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Dev ops for mobile apps at microsoft teams
Dev ops for mobile apps at microsoft teamsDev ops for mobile apps at microsoft teams
Dev ops for mobile apps at microsoft teams
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

My Little Webap - DevOpsSec is Magic

  • 1. My Little Webapp – DevOpsSec is Magic Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
  • 2.
  • 3. About Me • Originally from Maine • Lived in Milwaukee, Chicago, Atlanta • Web developers since 2001 • PHP, Python, Java, Perl, Visual Basic • Kali Linux, Burpsuite, SQLMap, XSSer, etc. • Got badly hacked in 2010, been learning since • I like making good software
  • 4.
  • 5.
  • 6. What if we could fix anything in 10 minutes?
  • 8. How does it feel?
  • 9.
  • 10. Prepare for a meme filled ride.
  • 11.
  • 12.
  • 13. How do we do things today?
  • 14.
  • 15.
  • 16.
  • 17. We need to build QA and security in.
  • 18. What can we do?
  • 19.
  • 20.
  • 21.
  • 22.
  • 24.
  • 25. Dev vs. Ops • Devs are paid to change code, high entropy
  • 26. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy
  • 27. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability
  • 28. Dev vs. Ops • Devs are paid to change code, high entropy • Ops are paid to have stability, low entropy • Change != Stability • IE8 only supports loading 31 CSS files
  • 29. "One line of code can break everything."
  • 30. What do we do?
  • 31.
  • 32.
  • 34.
  • 35.
  • 36. Performance • stress testing: "how many concurrent users?"
  • 37.
  • 38. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?"
  • 39. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet"
  • 40.
  • 41. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
  • 42. Performance • stress testing: "how many concurrent users?" • server latency: "how long is the response wait?" • initial client-side load latency: "time to first tweet" • client latency: "how long does action take?"
  • 43. Don’t forget to DDoS yourself.
  • 44. I like to DDoS myself on the weekends.
  • 45.
  • 46.
  • 48.
  • 50.
  • 51. Code quality testing IS security testing.
  • 52. Code Quality • linting, correct formatting
  • 53.
  • 54. Code Quality • linting, correct formatting • copy + paste, easily refactor
  • 55. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target
  • 56.
  • 57. 2^6 possible code pathways
  • 58. 64 possible outcomes from 1 function.
  • 59. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation
  • 60.
  • 61. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions
  • 62. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues
  • 63. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness
  • 64. Code Quality • linting, correct formatting • copy + paste, easily refactor • complexity, refactoring target • unsafe calls, change implementation • e2e tests, detect regressions • unit tests, detect integration issues • coverage, testing thoroughness • mocks, speed up testing
  • 65.
  • 67.
  • 68. Ready to try some Unit Testing?
  • 69.
  • 70. Unit Testing GET /users/<account_name> • happy path: "aclark" • missing entry: "aclark2" • lower bounds: "a" • upper bounds: "aaaaaaaaa" • empty: "account_name" : "" • null: (null) • fuzzing: "a2$@o9(@1"
  • 71.
  • 73.
  • 74.
  • 75.
  • 76.
  • 78. Supported • define supported devices, resolutions, browsers, and versions
  • 79. You can’t support everything:
  • 80.
  • 81. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver
  • 82. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images
  • 83.
  • 84. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
  • 85. Supported • define supported devices, resolutions, browsers, and versions • use Selenium WebDriver • test locally in VM images • test on the cloud
  • 86. Try using unsupported systems. Hopefully fail gracefully. Might even find something…
  • 87. Hint: Try setting your browser User-Agent to iPhone 3.0 when visiting news websites :P
  • 88.
  • 89.
  • 90.
  • 91. Deployable • atomic base box VM
  • 92.
  • 93. Deployable • atomic base box VM • provisioning scripts
  • 94.
  • 95. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc.
  • 96. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list
  • 97.
  • 98. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
  • 99.
  • 100. Deployable • atomic base box VM • provisioning scripts • deploy to local, AWS, Rackspace, etc. • scan dependency list • scan server setup
  • 101.
  • 102.
  • 103.
  • 105.
  • 106.
  • 108. If you’re a ‘Murican only company, why are you letting your server talk to Russia?
  • 109. Monitoring • request origin • request scans
  • 110.
  • 111.
  • 112. Monitoring • request origin • request scans • invalid requests
  • 113.
  • 114. Monitoring • request origin • request scans • invalid requests • request flood
  • 115.
  • 116. Monitoring • request origin • request scans • invalid requests • request flood • response flood
  • 117.
  • 118. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime
  • 119. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency
  • 120. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
  • 121. Monitoring • request origin • request scans • invalid requests • request flood • response flood • server uptime • latency • cpu load
  • 122. My startup has < 100 users. It gets scanned and attacked every day.
  • 123. Your live servers are getting hammered all the time.
  • 124.
  • 125.
  • 126.
  • 127. Security • what to test?
  • 128. This is your attack surface:
  • 129.
  • 130.
  • 131.
  • 132. Security • what to test? • how to test?
  • 133.
  • 134. Security • what to test? • how to test? • monitor issues
  • 135.
  • 136. Security • what to test? • how to test? • monitor issues • aggregate reports
  • 137. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues
  • 138. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
  • 139. Security • what to test? • how to test? • monitor issues • aggregate reports • prioritize issues • automate tests
  • 140. Give and request automated tests, not PDF docs.
  • 142.
  • 143. IF YOU SEE SOMETHING, SAY SOMETHING.
  • 144. ... but, at least write a test.
  • 145.
  • 146. DevOpsSec is free, you can do it today.
  • 147. Automation does not replace people.
  • 148.
  • 150.
  • 153. "... and so can you!"
  • 154.
  • 155. Apollo Clark @apolloclark apolloclark.com slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic github.com/apolloclark/py-jenkins-ci