Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology). Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)

1. Dynamic Security Testing
November 2017
@omerlh
@yshayy

3. http://www.align.com/wp-
content/uploads/2017/09/Equifax_Infographic.png

4. And it affects the stock price...
disclosed

5. http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-
failed-to-patch-was-to-blame-for-data-breach/

6. https://nvd.nist.gov/vuln/detail/CVE-2017-5638

7. Will you be the next Equifax?

8. What can we do?
● Threat Modeling
● Design/Code review
● Bug bounties
● Security tests
● And many more…

9. Security Tests in CI

10. What's a feature management solution?

11. Let’s try to change the design a bit to
increase engagement
Demo e-commerce app
Example 1 - A/B Testing

12. Feature flags

13. Tweek is mission critical

14. Tweek is open source...

15. GitHub Flow
Source: GitHub
Checks - Quality Feedback

16. PR Quality Feedback

17. Security Department
Source: IT Crowd

18. Can we add security checks?

19. The best defense is a good offense
Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg

20. And run it in CI
Let’s take a hacking tool

21. OWASP Zap

22. OWASP Zaproxy
https://www.openhub.net/p/zaproxy
Free and Open Source hacking tool

24. Zap has two modes:
Passive Active

25. Let’s Hack Tweek!

26. Tweek’s Architecture

27. Passive Mode

28. What Zap does?
● Inspecting request and response
● Run passive scan rules:
○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more

29. Setup Proxy

30. Browse Editor

31. Many findings

32. Potential issue

33. Why?

34. Zap does not only find the issues
It will also help you fix them!

35. Active Mode

36. What Zap does?
● Find all URLS/Paths
● Run active scan rules:
○ SQL injections
○ XSS
○ Directory browsing
○ Remote file inclusion
○ And many more

38. Zap can parse the spec

39. And now we can attack it…

40. Let’s push the red button

41. Now relax and drink some coffee

42. Massive attack

43. Many findings

44. Potential issue

45. Why?

46. Security Report - 2017

47. Questions so far?

48. And run it in CI
Let’s take a Hacking Tool

49. Zap has two modes:
Passive Active

50. Passive Mode

51. Tweek’s Security Testing
Tweek
API
Tweek
Editor
Integration
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium

52. Let’s use Docker
● Tweek is designed as a multi-container app
● Every microservice has an offical Docker image
● Tweek uses Docker-native CI (Codefresh)
● Test suites also run as docker containers
● Zap has an official docker image

53. Containerized them all!
Tweek
API
Tweek
Editor
Smoke
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium

56. docker-compose up

57. docker-compose is widely supported

58. Running it in CI

59. Zap API

61. Curl/CLI/SDK

62. So we have Security Tests...

63. But it’s not perfect…

64. OWASP Glue

65. OWASP Glue
Security Tool Filtering Reporting
Free and Open Source CI tool

66. Let’s add some glue to our CI

67. Using Glue
ruby /usr/bin/glue/bin/glue
-t zap
--zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode
-f text
--exit-on-warn 0
http://editor
--finding-file-path /usr/src/wrk/glue.json

68. Let’s look at the findings…

69. Zap’s findings for the API
● Insecure cookies
● Missing security headers
● Insecure hash
FIXED
FIXED
IGNORE

70. Active Mode

71. Simply docker
docker run
-t --net=host
-v $(pwd):/zap/wrk
owasp/zap2docker-weekly
zap-api-scan.py
-t http://localhost:4003/api/swagger.json
-f openapi
-r report.html
Find out more on Zap’s wiki...

72. And the results...

73. Questions so far?

74. So we have dynamic security tests...

75. Let’s see if it works…

76. Should I approve this pull request?

77. Let's review it...

78. That looks good...

79. But the tests are failing...

80. Let's see why...

81. Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG

82. Conclusion

83. Security Testing Options
Passive (Proxy) Active (OpenAPI)
Simple to integrate Simple to integrate
Wide coverage Wide Coverage
Fast Slow
Mixing tests types Dedicated tests types

85. GitHub Only?

86. How can you use it?

87. Useful links
● Pull Request – adding security tests to Tweek
● Malicious Pull Request – The one show a few slides above
● Demo repo – Adding security tests to vulnerable app - Juice Shop
● Blog Post – how I added security tests to Tweek
@omerlh
@yshayy

88. @omerlh
@yshayy
Thank You!