SlideShare a Scribd company logo

Ruby on Rails security in your Continuous Integration

Sqreen
Sqreen

Sqreen (https://www.sqreen.io) describes how open-source public tools can help improve your software security in your Continuous Integration cycle. This presentation focus on Ruby on Rails and uses open source Ruby gems as well as Jenkins, an open source CI tool. Two tools are presented. Arachni (https://github.com/Arachni/arachni) is a dynamic security analysis tool. It need some special scripting to get integrated to Jenkins (ask me!). Brakeman (https://github.com/presidentbeef/brakeman), a static analysis tool, targets Ruby on Rails applications source code. It can be easily integrated to Jenkins thanks to an existing plug-in. This method can make the reports hard to understand and process systematically in a CI work flow. Jean-Baptiste Aviat, Sqreen CTO

Software
1 of 17
Download to read offline
Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
Confidential & proprietary © Sqreen, 2015 Demo
Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
Confidential & proprietary © Sqreen, 2015 Arachne scan result
Confidential & proprietary © Sqreen, 2015 Arachne issue details
Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html

Recommended

Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking InGuy Podjarny
 
Signal r core workshop - netconf
Signal r core workshop - netconf Signal r core workshop - netconf
Signal r core workshop - netconf Miguel Angel Teheran Garcia
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 

Recommended

Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking InGuy Podjarny
 
Signal r core workshop - netconf
Signal r core workshop - netconf Signal r core workshop - netconf
Signal r core workshop - netconf Miguel Angel Teheran Garcia
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017Application Security in a Container World - Akash Mahajan - BCC 2017
Application Security in a Container World - Akash Mahajan - BCC 2017CodeOps Technologies LLP
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Mitigate Security Threats with SIEM
Mitigate Security Threats with SIEMMitigate Security Threats with SIEM
Mitigate Security Threats with SIEMAkamai Developers & Admins
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure Cisco DevNet
 
Security in OSS DevOps
Security in OSS DevOpsSecurity in OSS DevOps
Security in OSS DevOpsCheah Eng Soon
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerZend by Rogue Wave Software
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Using Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroUsing Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroAmazon Web Services
 
Using Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroUsing Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroAmazon Web Services
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Set up a Development Environment in 5 Minutes
Set up a Development Environment in 5 MinutesSet up a Development Environment in 5 Minutes
Set up a Development Environment in 5 MinutesAkamai Developers & Admins
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgNils Meder
 
Manage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with TerraformManage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with TerraformAkamai Developers & Admins
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleJürgen Etzlstorfer
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as CodePrasant Kumar
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackLacework
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)Radu Vunvulea
 
Ignite Denver - Robots!
Ignite Denver - Robots!Ignite Denver - Robots!
Ignite Denver - Robots!360|Conferences
 
How to-use-buffer-by-ella
How to-use-buffer-by-ellaHow to-use-buffer-by-ella
How to-use-buffer-by-ellaEleaza Rose Devilleres
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensWe Are Social Singapore
 

More Related Content

What's hot

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure Cisco DevNet
 
Security in OSS DevOps
Security in OSS DevOpsSecurity in OSS DevOps
Security in OSS DevOpsCheah Eng Soon
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerZend by Rogue Wave Software
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Using Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroUsing Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroAmazon Web Services
 
Using Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroUsing Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroAmazon Web Services
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgNils Meder
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleJürgen Etzlstorfer
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as CodePrasant Kumar
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackLacework
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)Radu Vunvulea
 

What's hot (20)

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Mitigate Security Threats with SIEM
Mitigate Security Threats with SIEMMitigate Security Threats with SIEM
Mitigate Security Threats with SIEM
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure
 
Security in OSS DevOps
Security in OSS DevOpsSecurity in OSS DevOps
Security in OSS DevOps
 
Better Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend ServerBetter Bug Stomping with Zend Studio and Zend Server
Better Bug Stomping with Zend Studio and Zend Server
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Using Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend MicroUsing Security To Build
 With Confidence In AWS - Trend Micro
Using Security To Build
 With Confidence In AWS - Trend Micro
 
Using Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend MicroUsing Security To Build With Confidence - Session Sponsored by Trend Micro
Using Security To Build With Confidence - Session Sponsored by Trend Micro
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Set up a Development Environment in 5 Minutes
Set up a Development Environment in 5 MinutesSet up a Development Environment in 5 Minutes
Set up a Development Environment in 5 Minutes
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering Hamburg
 
Manage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with TerraformManage Your Akamai-as-Code with Terraform
Manage Your Akamai-as-Code with Terraform
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & Ansible
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
 
Ignite Denver - Robots!
Ignite Denver - Robots!Ignite Denver - Robots!
Ignite Denver - Robots!
 

Viewers also liked

From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensWe Are Social Singapore
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenecEugene Cheng
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)Board of Innovation
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsXPLAIN
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideCrispy Presentations
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)Steven Hoober
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy
 
What 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureWhat 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureReferralCandy
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing FailsRand Fishkin
 
The History of SEO
The History of SEOThe History of SEO
The History of SEOHubSpot
 
How To (Really) Get Into Marketing
How To (Really) Get Into MarketingHow To (Really) Get Into Marketing
How To (Really) Get Into MarketingEd Fry
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignMotivate Design
 
10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next PresentationSOAP Presentations
 
Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Velocity Partners
 

Viewers also liked (20)

How to-use-buffer-by-ella
How to-use-buffer-by-ellaHow to-use-buffer-by-ella
How to-use-buffer-by-ella
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social ScreensFrom Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
SteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch DeckSteadyBudget's Seed Funding Pitch Deck
SteadyBudget's Seed Funding Pitch Deck
 
7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec7 Tips to Beautiful PowerPoint by @itseugenec
7 Tips to Beautiful PowerPoint by @itseugenec
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media Sins
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same Slide
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
 
What 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureWhat 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From Failure
 
Design Your Career 2018
Design Your Career 2018Design Your Career 2018
Design Your Career 2018
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
 
The History of SEO
The History of SEOThe History of SEO
The History of SEO
 
How To (Really) Get Into Marketing
How To (Really) Get Into MarketingHow To (Really) Get Into Marketing
How To (Really) Get Into Marketing
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
 
Displaying Data
Displaying DataDisplaying Data
Displaying Data
 
10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation
 
Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.
 

Similar to Ruby on Rails security in your Continuous Integration

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsJohn Varghese
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporeAmazon Web Services
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat
 

Similar to Ruby on Rails security in your Continuous Integration (20)

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
 
Continuous security
Continuous securityContinuous security
Continuous security
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based Applications
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API's
 

Recently uploaded

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburgmasabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationShrmpro
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 

Recently uploaded (20)

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Ruby on Rails security in your Continuous Integration

  • 1. Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
  • 2. Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
  • 3. Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
  • 4. Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
  • 5. Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
  • 6. Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
  • 7. Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
  • 8. Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
  • 9. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
  • 10. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
  • 11. Confidential & proprietary © Sqreen, 2015 Demo
  • 12. Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
  • 13. Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
  • 14. Confidential & proprietary © Sqreen, 2015 Arachne scan result
  • 15. Confidential & proprietary © Sqreen, 2015 Arachne issue details
  • 16. Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
  • 17. Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html