Anúncio
Automation of Security scanning easy or cheese
30 de Jul de 2019•0 gostou•122 visualizações
1 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Tecnologia
By Karen Florykian at Automation in Action: summer conference. Video: https://youtu.be/4fUwEvnFo_Q TOPIC DESCRIPTION I will share my experience of SDLC enablement on the enterprise level. In the process I will reveal pitfalls and gotchas about the building of a developer-friendly CI-enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.
Katherine GolovinovaSeguir
Anúncio
Anúncio
Anúncio
Recomendados
Cybersecurity overview - Open source compliance seminarRogue Wave Software
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
OTG - Practical Hands on VAPTshiriskumar
Is av dead or just missing in action - avar2016rajeshnikam
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Rogue Wave Software
Reducing Risk of Credential Compromise at NetflixSBWebinars
Automation of Security scanning easy or cheese
- 1 Skype: florykian.karen EPAM Kharkiv Security Automation Easy or cheese by Karen Florykian Lead Performance Analyst
- 2 Application Security Testing Security assessment for routers, firewall, load balancers, switches, find network misconfiguration Infrastructure Scanning OS vulnerabilities, known vulnerabilities in images, evaluate the image against policies to check for security compliance. Container Scanning Dynamic application security testing Find security vulnerabilities in a running application, typically web apps. DAST Static Application Security Testing Catch security issues on early stages of code development, allows developers to find bugs in code SAST Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. Functional Security Automation
- 3 Security Automation 03 01 04 02 Speed Integrity Availability Visibility
- 4 Real Life 68 % False positive analysis 25 % 29 % 39 % 7 %
- 5 Real Life 85 % of findings are not real issues 25 % 29 % 39 % 7 %
- 6 Vision
- 7 Proof Of Concept • Integrated in existing CI pipeline or configured to be ran on self- service basis • Traffic created using existing tests • False Positives analysis can be partially automated using DefectDojo or ReportPortal capabilities
- 8 Project Pipeline
- 9 Under The SAST Hood
- 10
- 11 Grouping Jira service ReportPortal Jira Service Junit XML
- 12 Spidergetti Or Rainboweb Jira service ReportPortal Jira Service Junit XML
- 13 Canonical Data Model Jira service ReportPortal Jira Service Junit XML CDM
- 14 Auto-Analysis • Validate capabilities • Identify parameters to reduce duplicates • Create service with equals strategy • Contact to ReportPortal team to create custom analyzer service with equals strategy
- 15 Issue #1
- 16 Issue #2
- 17 We All Are Lazy VS OPEN FOR WEEKS BECAUSE IT IS NOT ACTIONABLE FIXED WITHIN THE WEEK IT APPEARED IN BACKLOG
- 18 Carrier carrier-io/sast: Tools for SAST Demo
- 19
- 20 Useful Links • SAST: https://github.com/carrier-io/sast • Docker Hub: https://hub.docker.com/r/getcarrier/sast • DAST: https://github.com/carrier-io/dast • Docker Hub: https://hub.docker.com/r/getcarrier/dast • DASTY ☺: https://github.com/carrier-io/dusty Library to execute various security tools and convert output to common unifiedformat • Carrier: https://hub.docker.com/u/getcarrier • ReportPortal Auto-Analysis equals service: https://github.com/reportportal/service-analyzer-equals
- 21 Thank You!Florykian Karen Lead Performance Analyst
Anúncio