Continuous Security Testing - DevSecCon
-
Upload
stephen-de-vries -
Category
Software
-
view
1.493 -
download
3
Transcript of Continuous Security Testing - DevSecCon
LONDON 2015Join the conversation #devseccon
Continuous Security Testing
Stephen de Vries
About Me
Founder and CTO Continuum Security 70% Developer / 20% Security Analyst Involved in OWASP since 2004 Created BDD-Security framework @stephendv
Security Testing
• Performed after build • Outsourced to external experts • Process is opaque to dev/ops
Unit/Integration/Acceptance Testing
• Performed during build • Owned by dev/test • Tests visible to the team
Design Build Unit Tests
Integration Tests
Acceptance Tests Deploy
Development Pre-prod Production
Agile
• Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation
Design Build Unit Tests
Integration Tests
Acceptance Tests Deploy
Development Pre-prod Production
Continuous Delivery
Automated acceptance tests
Design Build Unit Tests
Integration Tests
Acceptance Tests Deploy
Development Pre-prod Production
Continuous Delivery into Production
• Etsy: 50+ deploys per day • Gov.uk: 10+ deploys per day • Amazon: 300+ per hour
Security Tests?
• Everyone is responsible for
• Move testing closer to the code
• Continuous automated testing
quality
quality
security
securitysecurity
^
BDD: Behaviour Driven Development
BDD: Behaviour Driven Development
https://github.com/continuumsecurity/bdd-security
JBehave +
OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications
Selenium/WebDriver +
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAPAutomated
^
BDD-Security
Demo https://vimeo.com/89848072
Who owns the security tests?
Option 1: Security Team
• Low cost test runs • Slower feedback to dev • Poor collaboration • Lack of ownership by DevOps
Design Build Integration TestsUnit Tests
Acceptance Tests
Deploy
Development Pre-prod Production
Semi-SecDevOps: Parallel tests
Manual Security Tests
Auto. Security Tests
Who owns the security tests?
Option 2: DevOps team with oversight by Security
• Better collaboration • Sense of ownership of security • Good stepping stone to…
SecDev
Ops
Option 3: Sec+Dev+Ops in a cross-functional team
• Security testing is our problem • We have the tools and skills to manage
it
DesignAuto. Security Tests
BuildIntegration TestsUnit
TestsAcceptance
TestsDeploy
Development Pre-prod Production
SecDevOps: Inline blocking tests
Manual Security Tests
Related Tools
• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver
• Guantlet (Ruby) http://gauntlt.org/
• OWASP ZAP Jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin
LONDON 2015Join the conversation #devseccon
Thank you!
www.continuumsecurity.net
@continuumsecure @stephendv