talk slides or my 2019 Talk W-JAX Continous Lifecycle Mannheim Heise DevSec

1. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing
In Continuous Integration

2. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
1) English
2)Deutsch
Language Menu

3. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Agenda
why?
how?
what?
whoami?

4. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
whoami?
Christian Kühn
system developer
#java #kubernetes #devops
@DevOpsKA Meetup Organizer
synyx GmbH Karlsruhe
code with attitude!
sw development
consulting

5. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
questions ?!

6. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
- leakage of business data
- leakage of user/customer data
- service interruption
- industry malfunction
- death (😱)
soſtware security issues:
what could possibly go wrong?

7. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
equifax - “Credit Monitoring”
examples:
https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
hacked 2017
vulnerability in Apache Struts dependency
143,000,000 SSN
209,000 credit card numbers
182,000 “consumers” with PII

8. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Mossack Fonseca - “Law Firm and coprorate service provider”
examples:
https://en.wikipedia.org/wiki/Panama_Papers
hacked 2015
vulnerability in Drupal
11.5 million leaked documents about
money laundering
tax avoidance
corruption

9. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
what stops developers from patching?
negligence
priorities / lack of time
skills / training
insight
“security - not my department” (or is it?)

10. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

11. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
vulnerability
/vʌln(ə)rəˈbɪlɪti/
noun
1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
…
CVE
"reference for publicly known information-security vulnerabilities and exposures"
public CVE Database - sponsored by NIST
(National Institute of Standards and Technology)

12. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

13. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
automate the sh!t out of it
solution
search for known vulnerabilities
implement a process to fix ASAP (or whitelist 😇 )
treat security issues like technical debt

14. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
let's automatically find KNOWN vulnerabilities in
dependencies / 3rd party libs
components in docker images
( let's also scan our app dynamically )

15. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
continuous delivery today

16. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
continuous delivery ++

17. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
continuous delivery++

18. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
dependencies | components | 3rdparty libraries
example: little maven/springboot demo-project:
6 maven dependencies
71 transitive dependencies
github.com/cy4n/broken

19. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

20. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
find vulnerable dependencies

21. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

22. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

23. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
DEMO!

24. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

25. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
What is wrong with using containers?
docker pull cy4n/broken
FROM cy4n/broken:latest

26. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

27. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
https://github.com/arminc/clair-local-scan
docker run -d --name db arminc/clair-db:latest
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan

28. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

29. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
alternative:
trivy
CLI-binary only
no need for server
local database
https://github.com/aquasecurity/trivy

30. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
DEMO!

31. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

32. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
API / Webserver
ZAProxy burp

33. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
API / Webserver - dynamic testing
OWASP ZAProxy
url spider
passive (and active) modes
ajax supported

34. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de

35. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
DEMO!

36. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
let's discuss
how to react?