This document summarizes a presentation about security testing for containerized applications. It discusses performing static analysis on code, dependencies, and Docker images using open source tools like Bandit, Brakeman, Find Security Bugs, TSLint, OWASP Dependency Track, and Clair. It also covers dynamic analysis using passive and active scanning with OWASP Zap. The presentation demonstrates running these security tests on a sample Lolcode application and integrating the tests into a CI/CD pipeline using OWASP Glue. It provides resources for learning more about security testing of containerized apps.
11. What?
● Scanning static assets (e.g. source code)
● Language aware
● Different Tools for different layer
● Point where is the issue
Code
Dependencies
Docker Image
12. Code Layer
● Scan the code for vulnerabilities
● Different tools for different languages
● Bandit – Python
● Brakeman – Ruby on Rails
● Find Security Bug - Java
● TSLint - TypeScript
● OWASP Source Code Analyzers list
Code
Dependencies
Docker Image
14. Dependencies Layer
● 3rd party code used by the app
● Usually installed by a package manager
● PyPi, Gem, NuGet, NPM
● Each dependency might include known vulnerability
● OWASP Top 10 A9
● OWASP Dependency Track
Code
Dependencies
Docker Image
22. What?
● Scanning live app
● Language agnostic, protocol aware
● Only detect issues, not what cause to them
● Simple by using OWASP Zap
● Passive
● Active
● Leveraging Docker for local run
Code
Dependencies
Docker Image
23.
24.
25.
26. Passive Scan
● Proxy black box tests
● Scan HTTP requests/responses
● HTTP static analysis
● Looks for security issues
● Fast, not risky
Code
Dependencies
Docker Image
27. Active Scan
● Discover all endpoint
● Craft malicious requests
● Test that the server can handle those request
● Slow, could cause damage
Code
Dependencies
Docker Image
31. Building our CI/CD Pipeline
✓ Break the build or it didn’t happen
✓ False positives
✓ Keep it DRY
✓ Easy
32. Image Certification
Only images that passed all the tests should be used on production
● Build dependency
● Image labels
● Image signing
● Image policy
33. What we have @ Soluto?
● Static analysis
✓ Source code scan
❑ Dependencies scan (in progress)
❑ Image scan
● Dynamic analysis
✓ Passive
❑ Active (in progress)
My name is Omer, leading AppSec efforts at Soluto for the past 3 years
Thank the organizers
Who here is doing AppSec for her living?
I’m also a coder, coding for the last 10 years
Who here is willing to help me with code review?
Who here is confidence enough in her review and think I can put this code in production?
Lolcode is an esotirc languge, but I’m using it to explain a real pain we are facing at Soluto.
How we help with technology
This is a map of all the technologies we’re using, this is really wide stack.
To me, reading a code in Go, elixir or F# is challenge like Lolcode – this is a code in a languge I am not familiar with, and it will take me some time to be able to read it.
And this is a problem I’m facing as AppSec person, and I know from other company that our situation is not unique.
Developers try to choose the best tool for the job, not what we the security teem know. And this is a challenge.
We can try to increase the AppSec team but this is not scale, and not simple
We can try to block the devs, and choose for them what to use – but we don’t have the right context for that
We just need to let it go, we need to accept this situation and try to think how we can empower developers and let them choose whatever technology they want, without introducing new risks.
And this is a great challenge I am facing, and I’m sure I’m not the only one.
The question is how.
Emphasis this is the plan we started with, and it’s WIP
A real example of timing attack due to insecure equals
Something easy to miss, but easy to spot using static analysis
We had real issue at Soluto that caught by using TSLint
Show how many packages available
Say something about the rise