Download presentation
Presentation is loading. Please wait.
1
When Continuous Integration Meets Application Security
SOFTWARE QUALITY CONFERENCE PACIFIC NW When Continuous Integration Meets Application Security Harish Krishnan & Vasantharaju M.S [10/18/2016]
2
SOFTWARE QUALITY CONFERENCE
PACIFIC NW QUESTION ?
3
Agenda Problem Statement Continuous Integration (CI)
SOFTWARE QUALITY CONFERENCE Agenda PACIFIC NW 1 Problem Statement 2 Continuous Integration (CI) 3 Application Security 4 Security Tools 5 CI + Tools 6 What do we get ?
4
Security comes LAST Problem Statement SOFTWARE QUALITY CONFERENCE
PACIFIC NW Security comes LAST
5
Continuous Integration (CI) ?
SOFTWARE QUALITY CONFERENCE PACIFIC NW Build the Project Deploy /Install Run unit tests Run integration tests Report results Source Repository Continuous Integration Code check-in’s Wikipedia Definition: In software engineering, continuous integration (CI) is the practice of merging all developer working copies to a shared mainline several times a day.
6
TeamCity Cruise Control Jenkins Travis CI
SOFTWARE QUALITY CONFERENCE PACIFIC NW Cruise Control Jenkins TeamCity Travis CI
7
Application Security ? Wikipedia Definition:
SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.
8
3rd Party Libraries Audit
Security Tools SOFTWARE QUALITY CONFERENCE PACIFIC NW Static Analysis Coverity FindBugs Dynamic Analysis Nessus XS3canner (in-house) 3rd Party Libraries Audit OWASP Dependency Check
9
Static Analysis Wikipedia Definition:
SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.
10
Coverity: $$$ FindBugs: Free Static Analysis
SOFTWARE QUALITY CONFERENCE PACIFIC NW Coverity: $$$ FindBugs: Free
11
FindBugs configuration
SOFTWARE QUALITY CONFERENCE PACIFIC NW <?xml version="1.0" encoding="UTF-8"?> <FindBugsFilter> <Match> <Bug category="SECURITY"/> </Match> </FindBugsFilter> hh
12
FindBugs configuration (continued…)
SOFTWARE QUALITY CONFERENCE PACIFIC NW <project name="FindBugs" default="findbugs" basedir="."> <taskdef name="findbugs" classname="edu.umd.cs.findbugs.anttask.FindBugsTask"/> <property name="findbugs.home" value="${basedir}/findbugs-3.0.1" /> <target name="findbugs"> <findbugs home="${findbugs.home}“ output="xml“ outputFile="result.xml“ includeFilter="${basedir}/filter.xml" > <sourcePath path="${basedir}/src" /> <class location="${basedir}/lib/*.jar" /> </findbugs> </target> </project>
13
Continuous Integration
Integrating FindBugs into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Build (If needed) Run Static Analysis Analyze results Report results Source Repository Continuous Integration Code check-in’s <BugInstance category="SECURITY"> <Class classname=""> <SourceLine classname="" sourcepath="" sourcefile="" end="" start=""/> </Class> </BugInstance> Programmatically parse the xml and look for any <BugInstance> elements. Depends on the Static Analysis tools FindBugs : No Coverity : Yes Runs the FindBugs ant script Example: c:\> ant findbugs
14
Dynamic Analysis Wikipedia Definition:
SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.
15
Nessus: $$$ XS3canner: In-house Dynamic Analysis
SOFTWARE QUALITY CONFERENCE PACIFIC NW Nessus: $$$ XS3canner: In-house
16
Nessus Configuration Nessus Nessrest SOFTWARE QUALITY CONFERENCE Free
PACIFIC NW Free Nessus REST API Nessrest Python Framework API call
17
Nessus Configuration (continued…)
SOFTWARE QUALITY CONFERENCE Nessus Configuration (continued…) PACIFIC NW from nessrest import ness6rest as nes try: scan = nes.Scanner(url=URL, api_akey=nessus_accessKey, api_skey=nessus_secretKey, insecure=True) except Exception, e: log("Could not connect to Nessus Server: %s" % str(e)) sys.exit(1)
18
Nessus Configuration (continued…)
SOFTWARE QUALITY CONFERENCE Nessus Configuration (continued…) PACIFIC NW scan.policy_set(POLICY) scan.scan_add(targets=TARGETS, name=scan_name) scan.scan_run() content = scan.download_scan()
19
Continuous Integration
Integrating Nessus into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Deploy /install Run Dynamic Analysis Analyze results Report results Source Repository Continuous Integration Code check-in’s For Dynamic Analysis, the Application must be running. report = scan.parse(Report) target = report.targets() vulnerabilities = target.vulns Runs the python automation scripts.
20
3rd Party component security audit
SOFTWARE QUALITY CONFERENCE PACIFIC NW OWASP Dependency Check: Free
21
Dependency Check configuration
SOFTWARE QUALITY CONFERENCE PACIFIC NW <target name="dependency-check" description="Dependency-Check Analysis"> <dependency-check projectname="Hello World" reportoutputdirectory="${basedir}" reportformat=“XML"> <fileset dir="lib"> <include name="**/*.jar"/> </fileset> </dependency-check> </target> hh
22
Continuous Integration
Integrating Dependency Check into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Group Libraries Run DC Tool Analyze results Report results Source Repository Continuous Integration Code check-in’s Directory containing all our libraries, for scanning. Programmatically parse the xml and look for any vulnerabilities listed. Runs the DC ant script Example: c:\> ant dependency-check
23
Discover and Fix vulnerabilities early in SDLC
What do we get ? SOFTWARE QUALITY CONFERENCE PACIFIC NW Confidence Discover and Fix vulnerabilities early in SDLC
24
SOFTWARE QUALITY CONFERENCE
PACIFIC NW THANK YOU
Similar presentations
