Create secure software is more than run a penetration test or a code review, just before the deploy and having some automatism can help you in have a low error rate process. In this talk we will go through the pipeline building process, explaining how to automate some boring tasks dedicating ourself to having fun, playing tricks like pros. At the end of our journey both tech people than security managers, will have the feeling that using the pipeline approach, they can lower vulnerabilities, with an affordable time to market so to make the bosses happy.

1. Putyourselfinthe#appsecpipeline
Paolo Perego - thesp0nge
MILAN 25-26 NOVEMBER 2016

2. $whoami
• 15 anni nell’industria #itsec
• Tech blogger @codiceinsicuro
• ❤ sviluppare security source
code scanners (Owasp Orizon,
dawnscanner)
• ❤ tenere talk su temi di
#appsec
• Seguimi su @thesp0nge

3. Agenda
• Talk about testing scenarios
• Talk about what an appsec pipe is and what do you
need to create one
• Be inspired, go home and do some homework

4. WhatdoIhavetotest?

6. Testingscenarios

7. Wedon’tdoanytest
(and we are aware of it)

8. Wedon’tdoanytest
(but I’ll love to do)

9. Wedosecuritytest
(but I want to learn more about the pipeline)

11. Howdoweperformsecuritytests?

12. Theunacceptablesolution…
• Tests must be done:
• in production environment
• before going live
• Testers need:
• the code being frozen
• some “fake” accounts
• a couple of week to do the job

13. …foradifficulttask
• Products can not delay time to market
release to allow security tests
• Tests must be performed on each
release
• Often companies do releases on a
weekly basis
• There are no fake accounts on a
production server
• Code is never on a frozen state
• This applies to web properties and
mobile applications
• Tests are not sawn as investment

14. #appseccan’tbedonethisway
and we’re the first talking our science to the next level

16. Theapplicationsecuritypipeline

17. Beforewestart
• We need
• Commitment
• An organised SDLC
• A development team aware
about #appsec topic
• An #appsec team (with patience
and some coding skills)

18. Thenwecanbuildthe#appsecpipeline
(https://www.owasp.org/index.php/OWASP_AppSec_Pipeline)

19. Thecollectortool
A way for our customer to ask for services, keep track about the progress and
having results back

20. Yourfavouritecollectionof#appsectools
You may want to cover vulnerability assessment, penetration test, web application
penetration test and code review at least. Keep calm and let’s go shopping.

21. TheOrchestrator
Your customers ask for services, you need an automatic dispatcher mechanism to
the appropriate tool. Of course you need also something retrieving results too.

22. Theticketingsystem
You need something to keep track about vulnerabilities, about their history and
their state.

23. TheWorkflow
(Glue all together)

24. Canaveral

25. AGrapebasedorchestratortoruntoolinourpipeline
Very alpha - Opensource - Integrates Nmap, Dawnscanner and Owasp ZAP

26. Demo

27. Bonustrack-someusefultools

28. Sometoolstocheck
• Sinatra with Grape (create HTTP API
endpoints)
• Owasp ZAP (WAPT on steroids)
• Owasp DeepViolet (check your SSL config)
• Nexpose + nexpose gem (automate
vulnerability assessment)
• Brakeman/Dawnscanner (ultimate ruby
code review)
• Owasp Orizon (Java security code review)
• Owasp GLUE gem (pipeline related tool)
• Canaveral (a Grape based orchestrator for
your pipeline)

29. Questions?

30. THANKS!