[OWASP Poland Day] OWASP for testing mobile applications
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26 (20)
Más de Ruby Meditation (20)
Más reciente (20)
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
- 1. Security Scanning Overview Tetiana Chupryna Feb 16 2018Kyiv
- 2. Te(a)ti(y)ana
- 3. GitLab Te(a)ti(y)ana
- 4. GitLab Secure Te(a)ti(y)ana
- 5. GitLab Secure dogs Te(a)ti(y)ana
- 6. Security Scanning
- 7. Application Security Security Scanning
- 8. Information Security Application Security Security Scanning
- 9. Application security • Defend assets • Search vulnerabilities • Prevent attacks • Disarm treats
- 10. a story
- 11. Alice
- 12. Alice
- 13. Alice Bob
- 14. Alice Bob Trudy
- 15. Alice Bob Trudy
- 16. Alice Bob Walter
- 17. Common Weakness Enumeration (CWE) • Common language for describing software security weaknesses • Standard measuring stick for software security tools • Common baseline standard for weakness identification, mitigation, and prevention efforts
- 18. Common Vulnerabilities and Exposures (CVE) • List of known vulnerabilities inside products • Widely used by many services
- 19. Vulnerability • What? (Identifier, Name, Description) • Where? (Location) • How critical? (Severity) • How confident? (Confidence)
- 20. Level 1 Your code is a problem
- 21. SAST • Static Application Security Testing • Testing from inside out (white-box) • Technology dependent
- 22. Tools (owasp.org) • Brakeman - Rails • Codesake Dawn - Ruby (~)
- 23. DAST • Dynamic Application Security Testing • Testing from outside (black box) • Live attack on staging • HTTP - lingua-franca
- 24. ZAProxy • OWASP Zed Attack Proxy Project • Open source
- 25. What else? • Secrets detection • Interactive Application Security Testing (IAST) • Fuzzing
- 26. Top 10 Rails vulnerabilities • Failure to Restrict URL Access • Preventing SQLi in Ruby • Cross-Site Scripting (XSS) • Injection • Cross-Site Request Forgery (CSRF) • Insecure Cryptographic Storage • Broken Authentication and Session Management • Invalidated Redirects and Forwards • Insecure Direct Object References • Insufficient Transport Layer Protection • Security Misconfiguration
- 27. Level 2 Other’s code is a problem
- 28. Dependency Scanning • Software Composition Analysis • Tricky one
- 29. Alice Bob Trudy Heidi
- 30. “Given enough eyeballs, all bugs are shallow.” –Linus Torvalds
- 31. ShellShock existed in the OpenSSL library for more than 22 years
- 32. Tools • OWASP Dependency-Check • Gemnasium (part of GitLab) • snyk.io
- 33. Level 3 It’s not about code anymore
- 34. Container scanning • Scanning Docker images for known vulnerabilities • cause there are dependencies as well
- 35. Tools • Clair • Docker Trusted Registry
- 36. Alice Bob Trudy Walter
- 37. DevOpsSec
- 38. Do I need it?
- 39. No
- 40. Yes
- 41. What we do in GitLab? • One tool to rule them all. • Insert secure tools into DevOps cycle. • Tool to help Security Analysts. • Auto-remediate functionality.
- 42. Security Dashboard
- 43. Use with pipeline sast: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure: true services: - docker:stable-dind script: - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/') - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code artifacts: reports: sast: gl-sast-report.json
- 44. Available features • SAST • DAST • Dependency Scanning • Container Scanning • License Management • … and more!
- 45. Stay safe!
- 46. Photo Credits • @bichon_frise_ally • @hongeunyeong • @arang2o_o • @tofupuppers
- 47. Security Scanning Overview
