SlideShare una empresa de Scribd logo

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

Descargar como PPTX, PDF
DevSecCon
DevSecCon

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

Tecnología
1 de 54
Join the conversation #DevSecCon Integrated Security Testing MORGAN ROMAN
Definitions 1. Selenium - Selenium automates browsers like Chrome/Firefox/IE. 1. Integration Testing - Testing a full user workflow in an application
After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes
After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes QAs! Managers! Test security while testing functionality!
After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes Penetration Testers! Security Engineers! Find more bugs! Keep them fixed!
“Give me a place to stand and I will move the Earth” - Archimedes
“Give me a place to stand and I will HACK THE PLANET!” - Me
About Me I started as a tester at DocuSign Wrote integration tests for the API and web interface Currently work on the application security team
When I was a tester...
And when I became a penetration tester...
And when I became a penetration tester...
Thousands of tests Proxy
Thousands of tests Proxy
What Web Application Scanners Do Interpret Responses Login Send Payloads Give Report
What Web Application Scanners Do Badly Interpret Responses Login Send Payloads Give Report Doesn't understand business logic! Manual triage and reproduction
What Web Application Scanners Do Badly Interpret Responses Login Send Payloads Give Report Doesn't understand business logic! Never even signed!!! Manual triage and reproduction
What Regular Testers Already Do Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed
What We Can Learn From Them Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed Test lots of scenarios! Easy to reproduce!Get an actual user workflow!
What a test can be used for Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed Make all your strings: <script>alert(1)</script> Then send it to tons of scenarios! Show a failure if the XSS alerts! Anyone can reproduce my bug!
Best Practice Issues
Workshop - Setup • Please have ZAP Installed from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Clone the repository from https://github.com/distrustCaution/integrated-security-example • Please install NodeJS v8.11.1 • If you are on Windows, you may need to add C:Program Filesnodejs to your path. • Run ‘npm install’ • Run ‘npm run integrationTest’
Workshop Part 1 – Survey the Test Code • Go to test/integration_tests/test_ui.js and test/integration_tests/test_api.js • Mission – Learn how:
Workshop Part 1 – Survey the Test Code • Go to test/integration_tests/test_ui.js and test/integration_tests/test_api.js • Mission – Learn how: • The http client is set up • The selenium web driver is set up • How accounts are created • How accounts authenticate • How tests are run • What the assertions are
Workshop Part 2 - ZAP and Passive Scan • Go to the file: “test/workshop/find_passive_results.js” • In that file, look for the browser setup script • We’ll send it through ZAP’s proxy • Then we’ll use ZAP’s reporter for basic output • To run use: npm run workshopPassive • For automating it, you can use the ZAP API • A great article by one of the other speakers here (Omer Levi Hevroni) on how to use custom rules: https://medium.com/@omerlh/how-to-scripting-owasp- zap-with-javascript-1c1898b1e7e0
Look for cookies Insecure cookies: browser.driver.manage.all_cookies Non-httpOnly cookies: return document.cookie
Source: https://thehackernews.com/2017/10/coinhive-cryptocurrency-miner.html -
Source: https://thehackernews.com/2017/10/coinhive-cryptocurrency-miner.html -
Source: https://thehackernews.com/2017/10/coinhive-cryptocurrency-miner.html - Dynamically Load Scripts!
Source: https://thehackernews.com/2017/10/coinhive-cryptocurrency-miner.html - JQUERY!Tests can just run: window.performance.getEntries()
Workshop Part 2 – Looking for external scripts • Go to the file: “test/workshop/find_external_scripts.js” • To run use: npm run workshopExternal • In selenium, try to get the results from: “return window.performance.getEntries()” (try it in your browser first) • We’ll filter it down to see if we get an error
Find Web App Bugs Send Payload Run Test Check Payload
Find XSS the easy way 1. Create a payload ● <script>alert(1234)</script>
Find XSS the easy way Create a payload ● <script>console.error(1234)</script> PROTIP: Alert will break tests
Find XSS the easy way Create a payload Use it ● <script>console.error(1234)</script> ● userName = “<script>...
Find XSS the easy way Create a payload Use it Read it ● <script>console.error(1234)</script> ● userName = “<script>... ● Read selenium logs
Find Angular injection the easy way Create a payload Use it Read it ● {{1234*1234}} ● userName = “{{1234*1234}}” ● Search the DOM for 188821744
Find Angular injection the easy way Create a payload Use it Read it ● {{1234*1234}} ● userName = “{{1234*1234}}” ● Search the DOM for 188821744 PROTIP: Big numbers rarely collide
Workshop Part 4 – XSS • Go to the file: “test/workshop/find_xss.js” • To run use: npm run workshopXSS • Generate a basic XSS payload: <script>console.error(1234)</script> • Use “driver.manage().logs().get(webdriver.logging.Type.BROWSER)” to get the browser logs • Verify that your payload exists in the logs
Workshop Part 5 – Angular Injection • Go to the file: “test/workshop/find_angular.js” • To run use: npm run workshopAngular • Generate a basic Angular Payload: {{2+2}} • Look for it in the DOM with “return document.body.innerHTML”
Normal way to find SQL injection Create a payload Send it Interpret it ● ‘ UNION SELECT 1 ● userName = ‘ UNION SELECT 1 ● Error!
Normal way to find SQL injection Create a payload Send it Interpret it ● ‘ UNION SELECT 1 ● userName = ‘ UNION SELECT 1 ● Error! What if it is too early?
Easy way to find SQL injection Create a payload Send it Break the test! ● ‘ UNION SELECT 12345 ● userName = ‘ UNION SELECT 12... ● FAILURE!!
Workshop Part 6 – SQL Injection • Go to the file: “test/workshop/find_sqli.js” • To run use: npm run workshopSQLi • Create a simple payload that could ‘break sql’ that contains characters such as ‘, ”, or – • Use it in the API tests, and see the failures you get back
Find XXE in test Create a payload Send it Monitor the file for reads ● <!DOCTYPE data SYSTEM “file:///c:/myfile.txt">... ● userName = <!DOCTYPE data... ● ls –lu (bash) or (gci filename).lastaccesstime (powershell)
Authorization Bugs
Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice modifies the resource 3. Alice shares the resource with Bob 4. Bob reads the resource
Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice Eve modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource
Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice Eve modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource Preparation as “Victim” Authorization bypass attempt as “Attacker”
Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource Preparation as “Victim” Authorization bypass attempt as “Attacker”
Workshop Part 7 – Authorization • Go to the file: “test/workshop/find_authz.js” • To run use: npm run workshopAuthz • See how to create an ‘Evil’ account • Attempt to do the following by modifying the api test: • Read someone else’s note • Modify someone else’s note • Share someone else’s note
Co-Worker: “So… most of the time it finds nothing and doesn’t tell you about it?” Me: “Exactly! I don’t want it to succeed, I want it to try.”
“Give me a place to stand and I will move the Earth” - Archimedes
✓ Don’t break tests ✓ Tailor it to your company ✓ Testers can now look for security bugs ✓ Keep it maintanable ✓ Help fix bugs faster
Join the conversation #DevSecCon Thank you! For more information go to: https://github.com/distrustCaution/integrated-security-example My twitter: @Hackimedes

Recomendados

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 

Recomendados

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous IntegrationWouter Konecny
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
TDD super mondays-june-2014
TDD super mondays-june-2014TDD super mondays-june-2014
TDD super mondays-june-2014Alex Kavanagh
 
Load-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioLoad-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioHassy Veldstra
 

Más contenido relacionado

La actualidad más candente

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous IntegrationWouter Konecny
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 

La actualidad más candente (20)

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Improving software quality using Continuous Integration
Improving software quality using Continuous IntegrationImproving software quality using Continuous Integration
Improving software quality using Continuous Integration
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 

Similar a DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

TDD super mondays-june-2014
TDD super mondays-june-2014TDD super mondays-june-2014
TDD super mondays-june-2014Alex Kavanagh
 
Load-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioLoad-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioHassy Veldstra
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
Continous Delivering a PHP application
Continous Delivering a PHP applicationContinous Delivering a PHP application
Continous Delivering a PHP applicationJavier López
 
Automated testing with Drupal
Automated testing with DrupalAutomated testing with Drupal
Automated testing with DrupalPromet Source
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...Nagios
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!David Lapsley
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasuesvolvent
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. ASumanth krishna
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Integrated security testing public
Integrated security testing publicIntegrated security testing public
Integrated security testing publicMorgan Roman
 
JavaScript development methodology
JavaScript development methodologyJavaScript development methodology
JavaScript development methodologyAleksander Fabijan
 

Similar a DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman (20)

TDD super mondays-june-2014
TDD super mondays-june-2014TDD super mondays-june-2014
TDD super mondays-june-2014
 
Load-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioLoad-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.io
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Continous Delivering a PHP application
Continous Delivering a PHP applicationContinous Delivering a PHP application
Continous Delivering a PHP application
 
Automated testing with Drupal
Automated testing with DrupalAutomated testing with Drupal
Automated testing with Drupal
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...
Nagios Conference 2011 - Nathan Vonnahme - Integrating Nagios With Test Drive...
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Integrated security testing public
Integrated security testing publicIntegrated security testing public
Integrated security testing public
 
JavaScript development methodology
JavaScript development methodologyJavaScript development methodology
JavaScript development methodology
 

Más de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Más de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Último

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

  • 1. Join the conversation #DevSecCon Integrated Security Testing MORGAN ROMAN
  • 2. Definitions 1. Selenium - Selenium automates browsers like Chrome/Firefox/IE. 1. Integration Testing - Testing a full user workflow in an application
  • 3. After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes
  • 4. After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes QAs! Managers! Test security while testing functionality!
  • 5. After this presentation, you can: 1. Make existing tests find security bugs 2. Without false positives 3. With minimal changes Penetration Testers! Security Engineers! Find more bugs! Keep them fixed!
  • 6. “Give me a place to stand and I will move the Earth” - Archimedes
  • 7. “Give me a place to stand and I will HACK THE PLANET!” - Me
  • 8. About Me I started as a tester at DocuSign Wrote integration tests for the API and web interface Currently work on the application security team
  • 9. When I was a tester...
  • 10. And when I became a penetration tester...
  • 11. And when I became a penetration tester...
  • 14. What Web Application Scanners Do Interpret Responses Login Send Payloads Give Report
  • 15. What Web Application Scanners Do Badly Interpret Responses Login Send Payloads Give Report Doesn't understand business logic! Manual triage and reproduction
  • 16. What Web Application Scanners Do Badly Interpret Responses Login Send Payloads Give Report Doesn't understand business logic! Never even signed!!! Manual triage and reproduction
  • 17. What Regular Testers Already Do Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed
  • 18. What We Can Learn From Them Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed Test lots of scenarios! Easy to reproduce!Get an actual user workflow!
  • 19. What a test can be used for Modify the test to hit all the test cases Find an idealized workflow Create an automated test Find a bug Use the previous test to check if the bug is fixed Make all your strings: <script>alert(1)</script> Then send it to tons of scenarios! Show a failure if the XSS alerts! Anyone can reproduce my bug!
  • 21. Workshop - Setup • Please have ZAP Installed from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Clone the repository from https://github.com/distrustCaution/integrated-security-example • Please install NodeJS v8.11.1 • If you are on Windows, you may need to add C:Program Filesnodejs to your path. • Run ‘npm install’ • Run ‘npm run integrationTest’
  • 22. Workshop Part 1 – Survey the Test Code • Go to test/integration_tests/test_ui.js and test/integration_tests/test_api.js • Mission – Learn how:
  • 23. Workshop Part 1 – Survey the Test Code • Go to test/integration_tests/test_ui.js and test/integration_tests/test_api.js • Mission – Learn how: • The http client is set up • The selenium web driver is set up • How accounts are created • How accounts authenticate • How tests are run • What the assertions are
  • 24. Workshop Part 2 - ZAP and Passive Scan • Go to the file: “test/workshop/find_passive_results.js” • In that file, look for the browser setup script • We’ll send it through ZAP’s proxy • Then we’ll use ZAP’s reporter for basic output • To run use: npm run workshopPassive • For automating it, you can use the ZAP API • A great article by one of the other speakers here (Omer Levi Hevroni) on how to use custom rules: https://medium.com/@omerlh/how-to-scripting-owasp- zap-with-javascript-1c1898b1e7e0
  • 25. Look for cookies Insecure cookies: browser.driver.manage.all_cookies Non-httpOnly cookies: return document.cookie
  • 30. Workshop Part 2 – Looking for external scripts • Go to the file: “test/workshop/find_external_scripts.js” • To run use: npm run workshopExternal • In selenium, try to get the results from: “return window.performance.getEntries()” (try it in your browser first) • We’ll filter it down to see if we get an error
  • 31. Find Web App Bugs Send Payload Run Test Check Payload
  • 32. Find XSS the easy way 1. Create a payload ● <script>alert(1234)</script>
  • 33. Find XSS the easy way Create a payload ● <script>console.error(1234)</script> PROTIP: Alert will break tests
  • 34. Find XSS the easy way Create a payload Use it ● <script>console.error(1234)</script> ● userName = “<script>...
  • 35. Find XSS the easy way Create a payload Use it Read it ● <script>console.error(1234)</script> ● userName = “<script>... ● Read selenium logs
  • 36. Find Angular injection the easy way Create a payload Use it Read it ● {{1234*1234}} ● userName = “{{1234*1234}}” ● Search the DOM for 188821744
  • 37. Find Angular injection the easy way Create a payload Use it Read it ● {{1234*1234}} ● userName = “{{1234*1234}}” ● Search the DOM for 188821744 PROTIP: Big numbers rarely collide
  • 38. Workshop Part 4 – XSS • Go to the file: “test/workshop/find_xss.js” • To run use: npm run workshopXSS • Generate a basic XSS payload: <script>console.error(1234)</script> • Use “driver.manage().logs().get(webdriver.logging.Type.BROWSER)” to get the browser logs • Verify that your payload exists in the logs
  • 39. Workshop Part 5 – Angular Injection • Go to the file: “test/workshop/find_angular.js” • To run use: npm run workshopAngular • Generate a basic Angular Payload: {{2+2}} • Look for it in the DOM with “return document.body.innerHTML”
  • 40. Normal way to find SQL injection Create a payload Send it Interpret it ● ‘ UNION SELECT 1 ● userName = ‘ UNION SELECT 1 ● Error!
  • 41. Normal way to find SQL injection Create a payload Send it Interpret it ● ‘ UNION SELECT 1 ● userName = ‘ UNION SELECT 1 ● Error! What if it is too early?
  • 42. Easy way to find SQL injection Create a payload Send it Break the test! ● ‘ UNION SELECT 12345 ● userName = ‘ UNION SELECT 12... ● FAILURE!!
  • 43. Workshop Part 6 – SQL Injection • Go to the file: “test/workshop/find_sqli.js” • To run use: npm run workshopSQLi • Create a simple payload that could ‘break sql’ that contains characters such as ‘, ”, or – • Use it in the API tests, and see the failures you get back
  • 44. Find XXE in test Create a payload Send it Monitor the file for reads ● <!DOCTYPE data SYSTEM “file:///c:/myfile.txt">... ● userName = <!DOCTYPE data... ● ls –lu (bash) or (gci filename).lastaccesstime (powershell)
  • 46. Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice modifies the resource 3. Alice shares the resource with Bob 4. Bob reads the resource
  • 47. Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice Eve modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource
  • 48. Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice Eve modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource Preparation as “Victim” Authorization bypass attempt as “Attacker”
  • 49. Finding Authorization Bugs in CRUD 1. Alice makes the resource 2. Alice modifies the resource 3. Alice Eve shares the resource with Bob Eve 4. Bob Eve reads the resource Preparation as “Victim” Authorization bypass attempt as “Attacker”
  • 50. Workshop Part 7 – Authorization • Go to the file: “test/workshop/find_authz.js” • To run use: npm run workshopAuthz • See how to create an ‘Evil’ account • Attempt to do the following by modifying the api test: • Read someone else’s note • Modify someone else’s note • Share someone else’s note
  • 51. Co-Worker: “So… most of the time it finds nothing and doesn’t tell you about it?” Me: “Exactly! I don’t want it to succeed, I want it to try.”
  • 52. “Give me a place to stand and I will move the Earth” - Archimedes
  • 53. ✓ Don’t break tests ✓ Tailor it to your company ✓ Testers can now look for security bugs ✓ Keep it maintanable ✓ Help fix bugs faster
  • 54. Join the conversation #DevSecCon Thank you! For more information go to: https://github.com/distrustCaution/integrated-security-example My twitter: @Hackimedes

Notas del editor

  1. Title Slide.
  2. Lay it all out. Make this fade in the three. After this presentation: 1. You will be able to turn selenium tests into web security tests 2. You will be able to turn API tests into deep fuzzing tools 3. You will be able to use both of the above testing methods to look for subtle business logic bugs
  3. QAs get to know how to use their tests for some real good CI plus repurpose them
  4. QAs get to know how to use their tests for some real good CI plus repurpose them
  5. DocuSign is a esignature platform. I was an SDET. I wrote web and api tests. I would help out the security team by creating regression tests for them occasionally. DocuSign has an amazing set of integration tests.
  6. I went from the familiar to the confusing
  7. I was scared of this new thing
  8. I was scared of this new thing
  9. I started my career as an sdet -> switched to application security. Since I knew how to use my only tool “integration tests”, I use it for all the things. This ended up being a really good idea. I proxy my stuff into Burp and magic happened. This project was codenamed “Fart” By building off my familiar, this enabled me to get a foothold in my new career.
  10. I started my career as an sdet -> switched to application security. Since I knew how to use my only tool “integration tests”, I use it for all the things. This ended up being a really good idea. I proxy my stuff into Burp and magic happened. This project was codenamed “Fart” By building off my familiar, this enabled me to get a foothold in my new career.
  11. Scanners just login. Vomit their payloads, and then do not go deep through the app.
  12. Scanners give terrible nebulous reports, at most click on things. Don’t do business logic. Don’t actually save you a lot of time. BUZZ LIGHTYEAR!
  13. Scanners give terrible nebulous reports, at most click on things. Don’t do business logic. Don’t actually save you a lot of time. BUZZ LIGHTYEAR!
  14. Show that Penetration testers already have the “depth and breadth”
  15. Show that Penetration testers already have the “depth and breadth”. It is easy to reproduce.
  16. Show that it can reproduce, and find bugs programmatically. Replace with plan of attack!
  17. We’re going to find best practice issues!
  18. Cookies can be set in lots of ways, finding insecure ones deep in flows is weird. For insecure cookies
  19. In docusign we do not allow external scripts to run on our site. While csp is a valid way to protect against this, it can be broken. Federal agencies have hit this problem and it is hard to detect. We can just see how it works. Especially on nightly runs. Tests can see this in the normal flow, and just report out.
  20. Problem solved right???
  21. Nope! Developer Bob wants his scripts and loads them dynamically
  22. Bad developer Bob! You will be detected!!! Your scripts even if loaded mysteriously will still show up in the performance logs
  23. The process always followed the same steps internally: 1. Create a payload with an easy marker to add to the test 2. Add it to a list for later 3. See if it appears somewhere 4. Throw an error
  24. Testers hate it when you break tests, so use console log. An unexpected alert will often break their test. This will ruin adoption.
  25. The process always followed the same steps internally: 1. Create a payload with an easy marker to add to the test 2. Add it to a list for later 3. See if it appears somewhere 4. Throw an error
  26. The process always followed the same steps internally: 1. Create a payload with an easy marker to add to the test 2. Add it to a list for later 3. See if it appears somewhere 4. Throw an error. Show screenshot
  27. Angular injection works the same way. Just use the different break out. Screenshot
  28. Another protip, GUIDs have small numbers, use larger numbers and use multiplication. This also reduces the odds of colliding with actual in-app numbers.
  29. For blind sql injection, you can’t read outputs. So you have to wait.
  30. For blind sql injection, you can’t read outputs. So you have to wait.
  31. For blind sql injection, you can’t read outputs. So you have to wait. But testers can just connect to the DB and see what happened on test environments!!! Limitation for this method is that you need to stack queries.
  32. XXE is pretty straight forwad
  33. In large APIs, you might have a TON of endpoints to go through, you can iterate and have testing on all of them. You can iterate over all the authorization scenarios in an API. Closed accounts, shared accounts, shared resources, etc.
  34. In large APIs, you might have a TON of endpoints to go through, you can iterate and have testing on all of them. You can iterate over all the authorization scenarios in an API. Closed accounts, shared accounts, shared resources, etc.
  35. In large APIs, you might have a TON of endpoints to go through, you can iterate and have testing on all of them. You can iterate over all the authorization scenarios in an API. Closed accounts, shared accounts, shared resources, etc.
  36. In large APIs, you might have a TON of endpoints to go through, you can iterate and have testing on all of them. You can iterate over all the authorization scenarios in an API. Closed accounts, shared accounts, shared resources, etc.
  37. You want to go into the spirit of this. You don’t have to implement it exactly. Find the bugs that you need to do, and avoid false positives.
  38. This is a useful tool, it’s not always the tool for the job, but you should have it as a blue teamer. Don’t break tests . QA’s hate that, you should fail a lot on your machine first to interpret the results. Don’t create work for them. Breaking the DOM is just fine on your runs, but not on the nightly run. You also don’t want some crazy sql thing to overwrite stuff. You should tailor it to your company, use the methodology of having security testing at the same time as functionality testing.