Security DevOps. Automation von Security-Checks in der Build-Kette. Christian
|
|
- Ethelbert Stokes
- 5 years ago
- Views:
Transcription
1 Security DevOps Automation von Security-Checks in der Build-Kette Christian
2 `whoami` www. Christian-Schneider.net» Software Developer, Whitehat Hacker & Trainer» Freelancer since 1997» Focus on Java & Web Security (Pentests & Security Architecture Consulting)» Speaker at
3 Security SAST & DAST
4 Static Application Security Testing (SAST)
5 Fun Part Dynamic Application Security Testing (DAST)
6 Dev Ops Sec 100 : 10 : 1 The Ratio Problem
7 mehr Rollouts als Pentests The Frequency Problem
8 Security DevOps?
9 Integrate Security Tools into Build-Jobs / CI-Chain on every commit or nightly
10 Why Security DevOps?» Keep up with rollout pace in agile projects» Automate certain checks as best as possible within the build-chain» Early feedback to Devs» Does not remove the pentest requirement!» Aims to free pentesters time to hunt more high-hanging bugs
11 what levels will we cover? implicit four axes each with four belts as incremental steps master
12 Four different axes Dynamic Depth Consolidation Intensity Static Depth
13 Four different axes Dynamic Depth Consolidation Intensity Static Depth
14 Let s explore these axes» by showing how to implement this with OpenSource solutions used in the Security & Development domains.
15 Axis of "Dynamic Depth" How deep are dynamic scans executed within a Security DevOps CI chain? i.e. "where" are dynamic security tests applied?
16 Axis "Dynamic Depth": Level 1 Scanning of public attack surface (pre-auth):» Spidering of UI layer» No requirement to authenticate scanner with target» Easy integration of scanner(s) in nightly build as post-step» "Throw tool at it (in CI-chain) and see what it generates "
17 Zed Attack Proxy (ZAP) "OWASP ZAP" features:»passive scanning (Proxy / Spider)»active scanning (Proxy / Spider)»manual payload delivery (Intercepting Proxy)»Spider (classic & AJAX)»Fuzzing»Plugins»
18 Active Scanning with ZAP
19 ZAP in SecDevOps? "OWASP ZAP" features relevant for Security DevOps integration:»headless operation mode / daemon»rest-api»highly scriptable»cli
20 ZAP + Jenkins = SecDevOps? "OWASP ZAP" scanner + Jenkins plugin "ZAP Jenkins Plugin"» Allows us to "Spider & Scan" as step in build job» Point plugin config to URL of integration system to test» Plugin saves HTML-report in project s job for inspection» Best as separate Jenkins job to run during nightly build (duration):» ZAP sends reporting data back to Jenkins» Jenkins publishes and archives the report(s)» Jenkins can create JIRA tickets when desired
21 UI- and Service-Tests in CI
22 enhanced with OWASP ZAP place report (html,xml) into workspace passive & active scanning
23 Arachni in SecDevOps? "Arachni Scanner" features relevant for Security DevOps integration:» Command-Line Interface (CLI)» Optional Web-UI» RPC / REST-API» Headless PhantomJS based browser cluster» Better at spidering JavaScript-heavy applications» Auto-login handling & session management» Scanning authenticated application parts
24 Arachni + Jenkins = SecDevOps? "Arachni Scanner" + Jenkins CLI step in build» Start in build job as CLI step and point to URL of system under test» Generate HTML report and place into workspace for inspection» Better execute within nightly build job (due to duration)» Alternatively: Start remote (also via CLI) to run async
25 HTML report of Arachni scan Bildquelle: Arachni Scanner
26 Arachni Web-UI: Scan scheduling Bildquelle: Arachni Scanner
27 Axis "Dynamic Depth": Level 2 Scanning of authenticated parts (= "post-auth") via UI layer» Properly maintaining sessions» Logout-detection & automatic re-login» Different users / roles» Spider & scan post-auth Handling of hardening measures of application under test» CSRF-Tokens, etc.
28 Guide ZAP into Post-Auth in CI Different ways exist to let ZAP scan inside the authenticated parts:» Configure authentication within ZAP > works for standard login dialog submits» Individually script authentication within ZAP > flexible (sometimes complex) scripted in JavaScript > can be recorded as Zest-Script
29 Login config example within ZAP
30 ZAProxy Jenkins Plugin: ZAP session use
31 Guide Arachni into Post-Auth Give authentication infos to Arachni (Auth, Logged-In Indicators, Users)» Use Arachni "autologin" plugin to specify via command line Login URL, formfield names, credentials, logged-in indicator, excludes» Alternatively write custom ruby script for "login_script" plugin Individual custom login logic possible Logged-In indicators (RegExp) to know when to re-login
32 Login config example within Arachni (used in CI): via config./arachni --plugin=autologin: url= parameters='j_username=foo&j_password=bar', check='logout' --scope-exclude-pattern=logout.action
33 Axis "Dynamic Depth": Level 3 Separate scanning of different application layers / backends Scan internal WebServices (e.g. SOAP / REST) = directly scan backends Detect and scan parameter positions within XML, JSON, Scan from "within" the different application s layers IAST with distributed agents & instrumentation aims into that direction At least one simple step in that direction: Use the scanning proxy also between your backend service calls Or (if available): Use existing SOAP-Tests directly proxying through scanner
34 Backend scans with ZAP How to achieve this with ZAP? ZAP operates as proxy server: place it between backend calls ZAP can inject payloads in observed XML tags/attributes & JSON fields Capture service call traffic in integration test during CI while either A. frontend UI tests execute service backend calls indirectly, or B. executing service tests that directly access the service endpoint Automatically scan as new requests are seen: "ATTACK Mode" Also keep an eye on an alpha-level SOAP-Scanner ZAP addon
35 Axis "Dynamic Depth": Level 4 Targeted scanning of individual forms / wizards (UI) and service layers» More individualized workflow coverage (not just simple spidering)» Business-logic compliant usage patterns & inputs "fill shopping cart followed by checkout process" "access backend WebServices in special order to test workflow", etc.» Custom coded security tests tailored to the application
36 ZAP with special workflows (1/2) Many ways exist The simplest one could be: Re-use existing UI tests (Selenium, )» Proxy this traffic through ZAP in "ATTACK-Mode" (in security test phase of build)» Optionally use ZAP Attack-Policies to specify/limit certain attack types
37 ZAP with special workflows (2/2) A more customized handling of individual workflows can be achieved: Re-use & enhance existing "UI test code" at the desired workflow steps with calls to ZAP s (REST)-API ordering attacks» Basically it s like Unit-Test code that uses Selenium along with with ZAP-Calls at the proper positions in application workflow» Type of "ordered attacks" can again be defined via policies» Start ZAP as Daemon from Jenkins via plugin
38 Axis of "Static Depth" How deep is static code analysis performed within a Security DevOps CI chain? i.e. "where" are static security tests applied?
39 Axis "Static Depth": Level 1 Assurance that no third-party code with known vulnerabilities is used» Check application s dependencies For Java applications: JAR files, etc. Useful even for projects not currently under development» New vulnerabilities could become public: Run a build regularly to check
40 Java libs: OWASP Dependency-Check Scans all dependencies (even transitive ones) against CVE list» Available as Maven plugin and Ant task» CLI version also available» Jenkins plugin for nice reporting (and build breaking thresholds)» Not false-positive free regularly needs some time to triage findings
41
42 Axis "Static Depth": Level 2 Scan important parts of source code for vulnerability patterns» At least important parts of applications codebases are scanned like in-house reused code & custom developed frameworks for big multi-project Maven projects: at least frontend and backend projects or code of changed modules within a sprint
43 Java: FindSecurityBugs Plugin for FindBugs with enhanced checks for security issues in Java code»runs within FindBugs, so that it can execute in Maven and/or Sonar»Generates XML-file with potential findings» Jenkins FindBugs plugin for representing results (also possible to display in Sonar)
44 Ruby on Rails apps: Brakeman Scans RoR code for vulnerabilities» CLI based» Nicely integrates with Jenkins Rendering scan results and trend analysis» Allows to compare scan results (delta detection) "What has been fixed and what was newly introduced?"
45 Axis "Static Depth": Level 3 Scan the complete applications source code for vulnerability patterns» Just like "Level 2", but now for the complete codebase (no excludes) i.e. all projects of a multi-project Maven project best via parent or corporate pom.xml For FindSecurityBugs this means:» pre-compile even all JSPs (if you have any) to scan them
46 Axis "Static Depth": Level 4 Scan source code of (important) third-party dependencies used in application» If the component is open-source: include it in regular scanning activities» If the component is closed-source: consider using code scanners that operate on binaries FindBugs (hence its FindSecurityBugs plugin) can also scan Java binaries, since it operates on Bytecode
47 Axis of "Intensity" How intense are the majority of the executed attacks within a Security DevOps CI chain? i.e. "what" is being checked for?
48 Axis "Intensity": Level 1 Dynamic checks: Only passive scanning» Simply proxy testcase generated traffic through passive scanners» Quick-win for using existing testcase code (i.e. Service- or UI-tests)» Can execute within existing tests that execute on every commit No requirement for a separate nightly CI job (i.e. doesn t slow down build) Static checks: Just scan the code along with other code metrics» Use the default rules of the scanners and integrate them into CI
49 Axis "Intensity": Level 2 Use lightweight active scanning options for dynamic checks» ZAP: active scanning of observed URLs provide a ZAP policy with desired active scan intensity» Arachni: enable "active scan" during spidering Better to execute in separate (nightly) build job due to duration
50 Axis "Intensity": Level 3 Use heavyweight scanning options on important parts of application Dynamic checks: create "riskier" custom attack profiles ZAP: set "Threshold" to "Low" / "Strength" to "High" (or selectively "Insane") enable more scanning rules via Policy Files (could be maintained & used via SCM) use ZAP s "Advanced SQLInjection Scanner" extension Arachni: Enable the more aggressive "audit flags" like --audit-forms, Static checks: FindSecurityBugs: set "Threshold" to "Low" and "Effort" to "Max"
51 Axis "Intensity": Level 4 Use customised rule sets for dynamic checks Some examples for ZAP:» Custom coded scan scripts as active & passive scan rules for company-individual checks» Security regression tests (in Zest) against previous found vulns (also logic flaws)» Custom input vector scripts: e.g. define certain injection points in custom encoded params» Proxy scripts: for example for generic request/response modifications
52 Scripting possibilities in ZAP
53 and for static code scans? Use customised rule sets for static checks Some example for FindSecurityBugs:» Custom coded rule files (in Java) to check for wrong usages of server-side inhouse frameworks
54 Axis of "Consolidation" How complete is the process of handling findings within a Security DevOps CI chain? i.e. "how" are the results used?
55 Axis "Consolidation": Level 1 Generate human-readable (HTML) reports from tools and link them in Jenkins» All relevant mentioned static and dynamic scanners generate HTML reports» Collect and publish them in Jenkins build: via Jenkins "HTML Publisher Plugin"
56 Jenkins "HTML Publisher Plugin": Configuration of HTML reports to link
57 Jenkins "HTML Publisher Plugin": Result in build
58 HTML report of ZAP scan
59 Axis "Consolidation": Level 1 (cont.) Use simple criteria to "break the build" on heavy findings (ok, at least "unstable")» Most scanners have capabilities to automatically flag the build» Dependency-Check (Severity Threshold),» FindSecurityBugs (via Sonar when rated as blocker),» etc.» For others: at least do a simple log parse from Jenkins "Log Parser Plugin" to flag the build as unstable and/or broken
60 OWASP Dependency-Check: Thresholds to break build
61 Axis "Consolidation": Level 2 Custom logic to make build unstable and/or broken depending on» Type of vulnerability (CWE or WASC or )» Severity ranking (high risk)» Confidence level (firm vs. tentative) Provide useful remediation info to developers Respect suppression mechanisms to rule out false positives
62 Flagging builds from reports How (from within a CI job)?» Most scanners also emit XML reports that can be parsed Often a simple XPath count is just fine» Alternatively fetch the results by accessing the scanner s API» Be sure to only break build with findings of high severity and high confidence!!! Less is more (when it comes to automation)» When new check introduce many findings: Baseline-Approach: Only break on new findings
63 Suppression of false positives Custom finding list (from XML reports): filter out according to list from code repo FindSecurityBugs: Use exclusion lists in config (XML filter files) & on false positive code lines Dependency-Check: XML file of suppressions (checked-in along with the project)
64 Axis "Consolidation": Level 3 Consolidation goals:» Consolidate & de-duplicate findings from different scanner reports» including better false positive handling» Push consolidated findings into established bug-tracker» Delta analysis & trends over consolidated data sets
65 ThreadFix as result consolidator Use a local ThreadFix server, which imports native scanner outputs does the heavy lifting of consolidation & de-duplication process can be customised using it s own REST-API pushes findings toward bug-tracker and IDE (via plugins) ThreadFix imports findings of ZAP, Arachni, FindBugs, Brakeman, etc.
66 Report generated by ThreadFix Bildquelle: ThreadFix
67 Trend Chart generated by ThreadFix Bildquelle: ThreadFix
68 Axis "Consolidation": Level 4 Measure the concrete code coverage of your security testing activities» Find untested "white spots"» Derive where static checks and code reviews should focus more to compensate
69 Code coverage analysis Use "OWASP Code Pulse", which instruments your Java app» collects coverage data during dynamic security testing scans» generates reports ("code treemaps") of coverage
70 Code Treemap of dynamic scan coverage Bildquelle: OWASP Code Pulse
71 Thank you very much!
72 Links OWASP ZAP ZAP Selenium Demo ZAP Jenkins Plugin Arachni OWASP Dependency Check FindSecurityBugs Jenkins Log Parser Plugin ThreadFix OWASP Code Pulse Hands-on Trainings for these and more Security Tools: Bildquelle: dreamstime.com
N different strategies to automate OWASP ZAP
OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 The OWASP Foundation http://www.owasp.org N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor
More informationRobots with Pentest Recipes:
Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins Abhay Bhargav - CTO, we45 Yours Truly Co-author of Secure Java For Web Application Development Author of PCI Compliance: A Definitive
More informationBeing Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline
Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline Boston Code Camp 26 November 19, 2016 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Boston Code Camp 26 - Thanks to our Sponsors!
More informationAppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationStrengthen and Scale security using DevSecOps
OWASP Indonesia Meetup Strengthen and Scale security using DevSecOps $ www.teachera.io!"# @secfigo % secfigo@gmail.com # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU,
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationDefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider
DefectDojo The Good, the Bad and the Ugly OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider 2018-05-31 PREFACE CIO: What is the security posture of our applications? How do you handle and communicate
More informationMonitoring Attack Surface and Integrating Security into DevOps Pipelines
Monitoring Attack Surface and Integrating Security into DevOps Pipelines Dan Cornell @danielcornell 0 Agenda Background Importance of Attack Surface What Does Attack Surface Have to Do with DevOps? Hybrid
More informationIronWASP (Iron Web application Advanced Security testing Platform)
IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability
More informationApplication Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security
Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views! https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet
More informationManaging an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1
Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously:
More informationAutomated Security Scanning in Payment Industry
Digital Transformation Specialist Automated Security Scanning in Payment Industry Michał Buczko Michał Buczko Test Consultant Public Speaker Security enthusiast Agenda 1.) Why security? 2.) How hard it
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationPEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech
PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...
More informationTM DevOps Use Case TechMinfy All Rights Reserved
Document Details Use Case Name TMDevOps Use Case01 First Draft 5 th March 2018 Author Reviewed By Prabhakar D Pradeep Narayanaswamy Contents Scope... 4 About Customer... 4 Use Case Description... 4 Primary
More informationPut Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018
Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018 Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural
More informationSecuring DevOps, RMF and STIG
Securing DevOps, RMF and STIG Scott Snowden Sameer Kamani May 2017 San Diego Federal Fortify Users Group DevOps definition and principles DevOps (a clipped compound of development and operations) is a
More informationDriving OWASP ZAP with Selenium
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completing MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz
More informationTM DevOps Use Case. 2017TechMinfy All Rights Reserved
Document Details Use Case Name TMDevOps Use Case03 First Draft 01 st Dec 2017 Author Reviewed By Prabhakar D Pradeep Narayanaswamy Contents Scope... 4 About Customer... 4 Use Case Description... 4 Primary
More informationManual Testing. Software Development Life Cycle. Verification. Mobile Testing
10 Weeks (Weekday Batches) or 12 Weekends (Weekend batches) To become a Professional Software Tester To enable the students to become Employable Manual Testing Fundamental of Testing What is software testing?
More informationSicherheit beim Build
Sicherheit beim Build Java Forum Stuttgart 2017 Dominik Schadow bridgingit Verify your security activities Integration into the build pipeline Find security issues as early as possible Catch the low hanging
More informationZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation
OWASP AppSec EU Hamburg 2013 The OWASP Foundation http://www.owasp.org ZAP Innovations OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright The
More informationTM DevOps Use Case. 2017TechMinfy All Rights Reserved
Document Details Use Case Name TMDevOps Use Case04 First Draft 10 th Dec 2017 Author Reviewed By Amrendra Kumar Pradeep Narayanaswamy Contents Scope... 4 About Customer... 4 Pre-Conditions/Trigger... 4
More informationIntroduction: Manual Testing :
: What is Automation Testing? Use of Automation. Where do we use. Tools that Do Automation. Web Applications vs Standalone Applications. What is selenium? How selenium works. Manual Testing : HTML: Detailed
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationContinuous Opportunity: DevOps & Security
August 2017 August 15, 2017 Continuous Opportunity: DevOps & Security 2016-2017 SANS Institute All Rights Reserved Introduction Ben Allen Security Engineer at SANS Institute Operations Engineer, Developer
More informationCONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER
WHITEPAPER CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM CONTENTS What is Interactive
More informationLearning Objectives of CP-SAT v 1.3
Learning Objectives of CP-SAT v 1.3 Knowledge with experience is power; certification is just a by-product What is CP-SAT? CP-SAT stands for Certified Practitioner Selenium Automation Testing certification
More informationContinuous Integration & Code Quality MINDS-ON NUNO 11 APRIL 2017
Continuous Integration & Code Quality MINDS-ON NUNO BETTENCOURT (NMB@ISEP.IPP.PT) @DEI, 11 APRIL 2017 Continuous Integration - THE THEORY - NMB@DEI - 11 April, 2017 CONTINUOUS INTEGRATION & SOFTWARE QUALITY
More informationSurrogate Dependencies (in
Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training,
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationCreating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days
Creating an AppSec Pipeline with containers in a week How we failed and succeeded Jeroen Willemsen OWASP benelux days About me Jeroen Willemsen @commjoenie jwillemsen@xebia.com Security architect Full-stack
More informationTHE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security
THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAY S AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST SOFTWARE Typical enterprise
More informationGetting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.
Getting Ready In order to get the most from this session, please download / install: OWASP ZAP, which requires a Java runtime A virtualization package, such as the free VirtualBox, free VMware Player,
More informationTools for Accessing REST APIs
APPENDIX A Tools for Accessing REST APIs When you have to work in an agile development environment, you need to be able to quickly test your API. In this appendix, you will learn about open source REST
More information1) CB plugin for Jenkins 2) Requirements Mapping
1) CB plugin for Jenkins 2) Requirements Mapping (Some of the names used for variables in trigger/build as provided by the plugin have already been updated to ensure more overall consistency. I left the
More informationSiegfried Goeschl. Gatling Tales From A Journey
Siegfried Goeschl Gatling Tales From A Journey George International Turning George Online Banking into a multi-tenant and group-wide platform Single code base Currently targeting four tenants Server-side
More informationQMS ISO 9001:2015 CERTIFIED COMPANY Software Testing TRAINING.
QMS ISO 9001:2015 CERTIFIED COMPANY Software Testing TRAINING www.webliquidinfotech.com What you Learn: What is Software Testing? Why Testing is Important? Scope of Software Testing Objectives of Software
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationJenkinsPipelineUnit. Test your Continuous Delivery Pipeline. Ozan Gunalp - Emmanuel Quincerot
JenkinsPipelineUnit Test your Continuous Delivery Pipeline Ozan Gunalp - Emmanuel Quincerot Who we are Ozan Günalp Emmanuel Quincerot Developer at LesFurets Developer at LesFurets PhD in Computer Science
More informationAN ISO 9001:2008 CERTIFIED COMPANY. Software Testing TRAINING.
AN ISO 9001:2008 CERTIFIED COMPANY Software Testing TRAINING www.webliquids.com ABOUT US Who we are: WebLiquids is an ISO (9001:2008), Google, Microsoft Certified Advanced Web Educational Training Organisation.
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationContinuous Security Testing. In a DevOps World
Continuous Security Testing In a DevOps World About Me Stephen de Vries CTO ContinuumSecurity 60% Security consultant 40% Developer Author: BDD-Security project About Me DevOps is a tool Plan/Code/Build/Test
More informationMind Q Systems Private Limited
Software Testing Tools Introduction Introduction to software Testing Software Development Process Project Vs Product Objectives of Testing Testing Principals Software Development Life Cycle SDLC SDLC Models
More informationLearning Objectives of CP-SAT v 1.31
Learning Objectives of CP-SAT v 1.31 Knowledge with experience is power; certification is just a by-product What is CP-SAT? CP-SAT stands for Certified Professional Selenium Automation Testing certification
More informationHuman vs Artificial intelligence Battle of Trust
Human vs Artificial intelligence Battle of Trust Hemil Shah Co-CEO & Director Blueinfy Solutions Pvt Ltd About Hemil Shah hemil@blueinjfy.net Position -, Co-CEO & Director at BlueInfy Solutions, - Founder
More information86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013
Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSuman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017
Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationIntegrating with ClearPass HTTP APIs
Integrating with ClearPass HTTP APIs HTTP based APIs The world of APIs is full concepts that are not immediately obvious to those of us without software development backgrounds and terms like REST, RPC,
More informationCode review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult.
Code review guide Author: Jameel Nabbo Website: www.jameelnabbo.com Table of contents Introduction Code review Checklist Steps to perform on code review task Tips for code review Starting the Code review
More information3 Continuous Integration 3. Automated system finding bugs is better than people
This presentation is based upon a 3 day course I took from Jared Richardson. The examples and most of the tools presented are Java-centric, but there are equivalent tools for other languages or you can
More informationTechnology Background Development environment, Skeleton and Libraries
Technology Background Development environment, Skeleton and Libraries Christian Kroiß (based on slides by Dr. Andreas Schroeder) 18.04.2013 Christian Kroiß Outline Lecture 1 I. Eclipse II. Redmine, Jenkins,
More informationContinuous Integration (CI) with Jenkins
TDDC88 Lab 5 Continuous Integration (CI) with Jenkins This lab will give you some handson experience in using continuous integration tools to automate the integration periodically and/or when members of
More informationContinuous Integration / Continuous Testing
Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 7,6 cm) Continuous Integration / Continuous Testing IIC What s SW Integration? Integration
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationAutomating Security Practices for the DevOps Revolution
Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018 Agenda Transformation of today s IT
More informationFramework for Application Security Testing. September 11th, 2018
Framework for Application Security Testing September 11th, 2018 Create thousands of security tests from existing functional tests automatically Wallarm FAST enables secure CI / CD Wallarm FAST has many
More informationAutomated Acceptance testing by Developers & Automated Functional Testing by Testers
Automated Acceptance testing by Developers & Automated Functional Testing by Testers Gowrishankar Sundararajan QA Manager Tata Consultancy Services, Canada Executive Summary Overview on Traditional Agile
More informationJMeter Automation for Agile Projects. Simon Knight
JMeter Automation for Agile Projects Simon Knight About Me Simon Knight Professional tester since 2008 Independent since 2010 Generalist working on automation, performance and exploratory test projects
More informationDevOps A How To for Agility with Security
DevOps A How To for Agility with Security Murray Goldschmidt, COO Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationSecurity Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
More informationHPE Security Fortify Plugins for Eclipse
HPE Security Fortify Plugins for Eclipse Software Version: 17.20 Installation and Usage Guide Document Release Date: November 2017 Software Release Date: November 2017 Legal Notices Warranty The only warranties
More informationAdvanced Java Testing. What s next?
Advanced Java Testing What s next? Vincent Massol, February 2018 Agenda Context & Current status quo Coverage testing Testing for backward compatibility Mutation testing Environment testing Context: XWiki
More informationThe Rise of the Purple Team
SESSION ID: AIR-W02 The Rise of the Purple Team Robert Wood Head of Security Nuna @robertwood50 William Bengtson Senior Security Program Manager Nuna @waggie2009 Typical Team Responsibilities Red Vulnerability
More informationOpen Source SAST and DAST Tools for WebApp Pen Testing
Open Source SAST and DAST Tools for WebApp Pen Testing Drew Kirkpatrick Funded by: Department of Homeland Security Science and Technology Directorate Cyber Security Division Web Application Pen Testing
More informationCONTINUOUS DELIVERY IN THE ORACLE CLOUD
CONTINUOUS DELIVERY IN THE ORACLE CLOUD Lykle Thijssen Bruno Neves Alves June 7, 2018 NLOUG Tech Experience Amersfoort eproseed Confidential ABOUT US Lykle Thijssen Principal Architect and Scrum Master
More informationContinuous Delivery for Cloud Native Applications
Continuous Delivery for Cloud Native Applications Cyrille Le Clerc, Director, Product Management at CloudBees Bjorn Boe, Senior Field Engineer at Pivotal Software Speakers /Cyrille Le Clerc Product Manager
More informationQuo pertentas, OSS? How Open Source can benefit from well-crafted Tests
Quo pertentas, OSS? How Open Source can benefit from well-crafted Tests Björn Kimminich Web: http://kimminich.de Twitter: @bkimminich v1.0 Let s start with some code and a corresponding unit test! It passes
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationAchieving Continuous Delivery - Micro Services. - Vikram Gadang
Achieving Continuous Delivery - Micro Services - Vikram Gadang Agenda Starting point Observations and lessons learned Architecting for CD Build pipeline strategy Testing strategy Deployment strategy State
More informationTesting NodeJS, REST APIs and MongoDB with UFT January 19, 2016
Testing NodeJS, REST APIs and MongoDB with UFT January 19, 2016 Brought to you by Hosted By Bernard P. Szymczak Ohio Chapter Leader HP Software Education SIG Leader TQA SIG Leader Today s Speakers Ori
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationHow to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationJenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC
Jenkins: A complete solution From Integration to Delivery For HSBC Rajesh Kumar DevOps Architect @RajeshKumarIN www.rajeshkumar.xyz Agenda Why Jenkins? Introduction and some facts about Jenkins Supported
More informationAvoiding regressions in an agile development environment. At Yottaa
Avoiding regressions in an agile development environment At Yottaa Speaker Intro Studied Computer Science at Helsinki University Previously, Consulting Engineer at DEC Founder of Automature Developed middleware
More informationDevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis
DevSecOps Shift Left Security Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis Themes Vulnerabilities are Low Hanging Fruit Why so many breaches that Anti-Virus
More informationSeven Habits of Highly Effective Jenkins Users. Andrew Bayer Cloudera OSCON Java 2011
Seven Habits of Highly Effective Jenkins Users Andrew Bayer Cloudera OSCON Java 2011 Introduction Who am I? I'm a build guy, with a focus on Java builds. I've been using and working on Jenkins since early
More informationThis release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software Security Center
Fortify Software What s New in Micro Focus Fortify Software 18.20 November 2018 This release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software
More informationREPRONOW-SAVE TIME REPRODUCING AND TRIAGING SECURITY BUGS
SESSION ID: ASEC-W12 REPRONOW-SAVE TIME REPRODUCING AND TRIAGING SECURITY BUGS Vinayendra Nataraja Senior Product Security Engineer Salesforce @vinayendra Lakshmi Sudheer Security Researcher Adobe, Inc.
More informationOverview of load testing with Taurus in Jenkins pipeline
Overview of load testing with Taurus in Jenkins pipeline how to get Taurus installed what a Taurus test script looks like how to configure Taurus to accurately represent use cases Actions in this session:
More informationWeb Applications & APIs
18 QUALYS SECURITY CONFERENCE 2018 Web Applications & APIs The Soft Belly of the Cloud Dave Ferguson Director, Product Management, WAS Remi Le Mer Director, Product Management, WAF Agenda Web Apps & APIs
More informationSahi. Cost effective Web Automation
Sahi Cost effective Web Automation What is Sahi? Automates web applications Started in 2005 Mature business ready product Aimed at testers in Agile and traditional environments Focus Aimed at testers For
More informationOAuth 2 and Native Apps
OAuth 2 and Native Apps Flows While all OAuth 2 flows can be used by native apps, only the user delegation flows will be considered in this document: Web Server, User-Agent and Device flows. The Web Server
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationContinuous Testing at Scale
Continuous Testing at Scale TAPOST Conference October 12th 2016, Riga dmitry@buzdin.lv @buzdin Dmitry Buzdin Introduction to Continuous Testing Continuous Delivery Get changes to production in fast and
More informationFull Stack Developer with Java
Full Stack Developer with Java Full Stack Developer (Java) MVC, Databases and ORMs, API Backend Frontend Fundamentals - HTML, CSS, JS Unit Testing Advanced Full Stack Developer (Java) UML, Distributed
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationHow to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer
How to implement SDL and don t turn gray Andrey Kovalev, Security Engineer Agenda SDL 101 Yandex approach SAST, DAST, FSR: drawbacks and solutions Summary 3 How to implement SDL and don t turn gray SDL
More informationDiscover Best of Show März 2016, Düsseldorf
Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf 2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify The case for Application Security
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationChild Welfare Digital Services Sprint Review Presentation
Child Welfare Digital Services Sprint Review Presentation Sprint Review of Iteration 4.2 CALS/TPT2/LDU Sprint Dates: 09/07/17 to 09/20/17 Agenda CALS product discussion Value proposition Product demonstration
More informationA Strategic Approach to Web Application Security
A STRATEGIC APPROACH TO WEB APP SECURITY WHITE PAPER A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle The problem: websites are the new
More informationQuality Engineering in DevOps world a Strategic Enabler
www.cigniti.com Unsolicited Distribution is Restricted. Copyright 2015-16, Cigniti Technologies Quality Engineering in DevOps world a Strategic Enabler » Analyst Speak» DevOps in a nutshell» DevOps vs
More information