SlideShare uma empresa Scribd logo

Monitoring Attack Surface to Secure DevOps Pipelines

Denim Group
Denim Group

A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

Tecnologia
1 de 40
Baixar para ler offline
© 2016 Denim Group – All Rights Reserved Monitoring Attack Surface to Secure DevOps Pipelines Dan Cornell @danielcornell 0
© 2016 Denim Group – All Rights Reserved Agenda • Background • Importance of Attack Surface • What Does Attack Surface Have to Do with DevOps? • Hybrid Analysis Mapping (HAM) Background • Installation Instructions • Use Cases • Questions
© 2016 Denim Group – All Rights Reserved My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio • OWASP OpenSAMM Benchmark 2
© 2016 Denim Group – All Rights Reserved Denim Group Background • Secure software services and products company • Builds secure software • Helps organizations assess and mitigate risk of in-house developed and third party software • Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security • Application security experts are practicing developers • Development pedigree translates to rapport with development managers • Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution • Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix • OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI • World class alliance partners accelerate innovation to solve client problems 3
© 2016 Denim Group – All Rights Reserved OWASP ZAP • Open source web proxy and dynamic application security testing tool • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
© 2016 Denim Group – All Rights Reserved Example Codebases • BodgeIt Store • Example vulnerable web application • https://github.com/psiinon/bodgeit • Java Spring Petstore • Example Spring application • https://github.com/spring-projects/spring-petclinic • Railsgoat • Example vulnerable web application • https://github.com/OWASP/railsgoat
© 2016 Denim Group – All Rights Reserved ThreadFix Community Edition • Application vulnerability management • And some other stuff • https://github.com/denimgroup/threadfix
© 2016 Denim Group – All Rights Reserved Downloads • https://dl.dropboxusercontent.com/u/737351/endpoints-json.jar • https://dl.dropboxusercontent.com/u/737351/threadfix-release-2.zap • https://github.com/denimgroup/threadfix-examples/tree/master/web_app_attack_surface
© 2016 Denim Group – All Rights Reserved Importance of Attack Surface 8
© 2016 Denim Group – All Rights Reserved Importance of Attack Surface • This is where an attacker can “reach out and touch” your application • Web: Mostly in the HTTP request: URL, parameters, headers (cookies) • Mobile, IoT: More complicated • We will focus on web today • Target for dynamic testing • Automated DAST • Manual assessment/penetration testing 9
© 2016 Denim Group – All Rights Reserved What Does Attack Surface Have to Do With DevOps? • If you want your talk to be accepted, it has to have DevOps in the title • Let’s look at what we want from security in the DevOps pipeline 10
© 2016 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure apps via their DevOps pipelines 11
© 2016 Denim Group – All Rights Reserved Security in the DevOps Pipeline • Testing • Synchronous • Asynchronous • Decision • Reporting 12
© 2016 Denim Group – All Rights Reserved Focus on Testing in DevOps Pipeline • Many security tools run too long to include in many pipeline builds • Full SAST, DAST • Security testing also includes manual testing • Which is way too slow for most pipeline builds • Tracking attack surface changes over time can help us: • Focus testing activities • Trigger testing activities 13
© 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping • Goal: Merge the results of SAST and DAST testing • Funded via DHS S&T SBIR contracts • Facilitated the creation of our attack surface modeling engine
© 2016 Denim Group – All Rights Reserved Department of Homeland Security Support • Currently in Phase 2 of a DHS S&T CSD SBIR • Acronyms! • DHS = Department of Homeland Security • S&T = Directorate of Science and Technology • CSD = CyberSecurity Division • SBIR = Small Business Innovation Research • Geared toward developing new technologies for Federal customers • Hybrid Analysis Mapping (HAM) • Technology has been included with ThreadFix • Has also resulted in some other released components we will talk about today • Please do not assume this talk is endorsed by DHS • This is just me talking about what we have done
© 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) • Initial goal: Correlate and merge results from SAST and DAST • After we made that work, we found other stuff we could do with the technology 16
© 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) • Determine the feasibility of developing a system that can reliably and efficiently correlate and merge the results of automated static and dynamic security scans of web applications. HP Fortify SCA IBM AppScan Standard 17
© 2016 Denim Group – All Rights Reserved Dynamic Application Security Testing (DAST) • Spider to enumerate attack surface • Crawl the site like Google would • But with authentication / session detection • Fuzz to identify vulnerabilities based on analysis of request/response patterns • If you send a SQL control character and get a JDBC error message back, that could indicate a SQL injection vulnerability • A finding looks like (CWE, relative URL, [entry point]) 18
© 2016 Denim Group – All Rights Reserved Static Application Security Testing (SAST) • Use source or binary to create a model of the application • Kind of like a compiler or VM • Perform analysis to identify vulnerabilities and weaknesses • Data flow, control flow, semantic, etc • A finding looks like (CWE, code/data flow) 19
© 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping Sub- Goals • Standardize vulnerability types • Settled on MITRE Common Weakness Enumeration (CWE) • Match dynamic and static locations • Use knowledge of language/web framework to build attack surface database • Improve static parameter parsing • Parse out of source code to match with DAST result 20
© 2016 Denim Group – All Rights Reserved Information Used • Source Code • Git, Subversion, Local Copy • Framework Type • Java: JSP, Spring, Struts • C#: .NET WebForms, .NET MVC • Ruby: Rails • PHP: in progress • Extra information from SAST results (if available) 21
© 2016 Denim Group – All Rights Reserved Unified Endpoint Database • EndpointQuery • dynamicPath • staticPath • Parameter • httpMethod • codePoints [List<CodePoint>] • informationSourceType • EndpointDatabase • findBestMatch(EndpointQuery query): Endpoint • findAllMatches(EndpointQuery query): Set<Endpoint> • getFrameworkType(): FrameworkType
© 2016 Denim Group – All Rights Reserved Merging SAST and DAST Results • I have a DAST result: • (“Reflected XSS”, /login.jsp, “username” parameter) • Query the Endpoint Database: • Entry point is com.something.something.LoginController.java, line 62 • Search the other findings for SAST results like: • (“Reflected XSS”, source at com.something.something.LoginController.java, line 62) • If you find a match – correlate those two findings • Magic!
© 2016 Denim Group – All Rights Reserved That’s Great But I Want More • So our research produced a successful/valuable outcome • Hooray • But – given these data structures, what else can we do? • From an EndpointDatabase we can: • Get all of the application’s attack surface • Map DAST results to a specific line of code • Given those capabilities we can: • Pre-seed scanners with attack surface • Map DAST results to lines of code in a developer IDE • Map DAST results to lines of code in SonarQube
© 2016 Denim Group – All Rights Reserved Scanner Seeding • What if we could give the DAST spidering process a head start? • Pre-seed with all of the attack surface • Landing pages that link in to the application • Hidden directories • Backdoor or “unused” parameters • Currently have plugins for OWASP ZAP and BurpSuite • Plugin for IBM Rational AppScan Standard is in progress https://github.com/denimgroup/threadfix/wiki/Scanner-­Plugins
© 2016 Denim Group – All Rights Reserved Final Thoughts on SBIR Work with DHS S&T • Great use of the SBIR program • In my humble and totally unbiased opinion • Proved to be the tipping point to developing HAM • HAM was interesting, but required material investment • Research produced a successful outcome (we think) • We found other things we could do with the technology • Released much of it open source to increase adoption
© 2016 Denim Group – All Rights Reserved Getting the Plugin • Main ThreadFix site • https://github.com/denimgroup/threadfix/ • ThreadFix build instructions • https://github.com/denimgroup/threadfix/wiki/Development- Environment-Setup • “Running ThreadFix Without an IDE” • Download plugins from ThreadFix
© 2016 Denim Group – All Rights Reserved Plugin Installation Instructions • OWASP ZAP plugin installation instructions • https://github.com/denimgroup/threadfix/wiki/Zap-Plugin • Plugins also available for: • Portswigger BurpSuite Professional • IBM Rational AppScan (soon)
© 2016 Denim Group – All Rights Reserved Attack Surface Enumeration • Find all of the attack surface • URLs • Parameters that will change application behavior • Future: Cookies, other HTTP headers • Why is this a problem? • Hidden landing pages • Multi-step processes that automated crawls don’t traverse • Unknown parameters • Debug/backdoor parameters (will discuss this further) • Great for REST APIs support single-page web applications and mobile applications
© 2016 Denim Group – All Rights Reserved Attack Surface Enumeration Benefits • Reduce false negatives from scanners • Better coverage for standard fuzzing • Pen test all of the application
© 2016 Denim Group – All Rights Reserved Endpoints CLI Notes • Syntax: java –jar [jar-name].jar /path/to/source • JAR name will change based on build ID • After Maven build, can also be found in: $GIT/threadfix/threadfix-cli- endpoints/target/ • You want the ”-jar-with-dependencies” JAR • Will output list of HTTP methods, URLs and parameters based on analysis of the source code • Attack surface! • Add “-json” to the end of the command to get output in JSON format • Easier to manipulate
© 2016 Denim Group – All Rights Reserved Command Line Demo
© 2016 Denim Group – All Rights Reserved Scanner Attack Surface Seeding Demo
© 2016 Denim Group – All Rights Reserved Attack Surface Visualization Demo 34
© 2016 Denim Group – All Rights Reserved Attack Surface Comparison Visualization Demo 35
© 2016 Denim Group – All Rights Reserved Diffing Attack Surface Demo 36
© 2016 Denim Group – All Rights Reserved Applications for DevOps Pipelines • Target DAST testing to focus on new attack surface in latest build • “Run an authenticated ZAP scan against the three new URLs added in the last commit” • Set thresholds for when manual assessment/penetration testing is triggered • “Schedule a manual penetration test when the attack surface has increased by 10 URLs” • “Schedule a manual penetration test when the attack surface has increased by 5%” • Focus those efforts on new attack surface • ChatOps: Attack surface delta notifications on commit • “Commit beb78c835706efe5d619148b9a8dc9e35ee9572b added attack surface: /advanced.jsp, /preferenes.jsp” 37
© 2016 Denim Group – All Rights Reserved Next Steps • Expand the model of application attack surface • Currently: Parameters, HTTP verbs • Working on: HTTP headers (cookies) • Future: Other application types: Mobile, IoT • Better visualization • More details • Better granularity • Native integrations: Jenkins, Slack, HipChat, etc • This is kind of “scripty” right now 38
© 2016 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.it 39

Recomendados

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 

Recomendados

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...Denim Group
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 

Mais conteúdo relacionado

Mais procurados

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 

Mais procurados (20)

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 

Destaque

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...Denim Group
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneySonatype
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
from 0 to continuous delivery in 30 minutes
from 0 to continuous delivery in 30 minutesfrom 0 to continuous delivery in 30 minutes
from 0 to continuous delivery in 30 minutesAgileSparks
 
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamir
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamirhe 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamir
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded TamirAgileSparks
 
DevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic WeaponDevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic Weapondev2ops
 
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...Mirco Hering
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...dev2ops
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition StrategiesAlec Lazarescu
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
 
DevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly DistributedDevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly Distributeddev2ops
 
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?dev2ops
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Building DevOps culture from bottom up
Building DevOps culture from bottom upBuilding DevOps culture from bottom up
Building DevOps culture from bottom upSQUADEX
 

Destaque (20)

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
from 0 to continuous delivery in 30 minutes
from 0 to continuous delivery in 30 minutesfrom 0 to continuous delivery in 30 minutes
from 0 to continuous delivery in 30 minutes
 
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamir
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamirhe 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamir
he 7 habits of Highly Effective Organization that Embraced DevOps - Oded Tamir
 
Enabling Enterprises Adopt DevOps
Enabling Enterprises Adopt DevOpsEnabling Enterprises Adopt DevOps
Enabling Enterprises Adopt DevOps
 
DevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic WeaponDevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic Weapon
 
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...
Next Generation IT Delivery - What it means to deliver atthe speed of the Dig...
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
 
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition Strategies
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
DevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly DistributedDevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly Distributed
 
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Building DevOps culture from bottom up
Building DevOps culture from bottom upBuilding DevOps culture from bottom up
Building DevOps culture from bottom up
 

Semelhante a Monitoring Attack Surface to Secure DevOps Pipelines

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)Marco Corona
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewsatyasekhar123
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016Amazon Web Services
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Native - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile ArchitecturesNative - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile ArchitecturesPhong Le Duy
 
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...Derek Ashmore
 
Software development in the modern age
Software development in the modern ageSoftware development in the modern age
Software development in the modern ageRoy Wasse
 
Building a DevOps pipeline for Serverless by using Mocha, GitHub and Travis
Building a DevOps pipeline for Serverless by using Mocha, GitHub and TravisBuilding a DevOps pipeline for Serverless by using Mocha, GitHub and Travis
Building a DevOps pipeline for Serverless by using Mocha, GitHub and TravisExove
 

Semelhante a Monitoring Attack Surface to Secure DevOps Pipelines (20)

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code review
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Native - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile ArchitecturesNative - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile Architectures
 
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...
Application Deployment Patterns in the Cloud - NOVA Cloud and Software Engine...
 
Software development in the modern age
Software development in the modern ageSoftware development in the modern age
Software development in the modern age
 
Building a DevOps pipeline for Serverless by using Mocha, GitHub and Travis
Building a DevOps pipeline for Serverless by using Mocha, GitHub and TravisBuilding a DevOps pipeline for Serverless by using Mocha, GitHub and Travis
Building a DevOps pipeline for Serverless by using Mocha, GitHub and Travis
 

Mais de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 

Mais de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 

Último

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Monitoring Attack Surface to Secure DevOps Pipelines

  • 1. © 2016 Denim Group – All Rights Reserved Monitoring Attack Surface to Secure DevOps Pipelines Dan Cornell @danielcornell 0
  • 2. © 2016 Denim Group – All Rights Reserved Agenda • Background • Importance of Attack Surface • What Does Attack Surface Have to Do with DevOps? • Hybrid Analysis Mapping (HAM) Background • Installation Instructions • Use Cases • Questions
  • 3. © 2016 Denim Group – All Rights Reserved My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio • OWASP OpenSAMM Benchmark 2
  • 4. © 2016 Denim Group – All Rights Reserved Denim Group Background • Secure software services and products company • Builds secure software • Helps organizations assess and mitigate risk of in-house developed and third party software • Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security • Application security experts are practicing developers • Development pedigree translates to rapport with development managers • Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution • Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix • OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI • World class alliance partners accelerate innovation to solve client problems 3
  • 5. © 2016 Denim Group – All Rights Reserved OWASP ZAP • Open source web proxy and dynamic application security testing tool • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • 6. © 2016 Denim Group – All Rights Reserved Example Codebases • BodgeIt Store • Example vulnerable web application • https://github.com/psiinon/bodgeit • Java Spring Petstore • Example Spring application • https://github.com/spring-projects/spring-petclinic • Railsgoat • Example vulnerable web application • https://github.com/OWASP/railsgoat
  • 7. © 2016 Denim Group – All Rights Reserved ThreadFix Community Edition • Application vulnerability management • And some other stuff • https://github.com/denimgroup/threadfix
  • 8. © 2016 Denim Group – All Rights Reserved Downloads • https://dl.dropboxusercontent.com/u/737351/endpoints-json.jar • https://dl.dropboxusercontent.com/u/737351/threadfix-release-2.zap • https://github.com/denimgroup/threadfix-examples/tree/master/web_app_attack_surface
  • 9. © 2016 Denim Group – All Rights Reserved Importance of Attack Surface 8
  • 10. © 2016 Denim Group – All Rights Reserved Importance of Attack Surface • This is where an attacker can “reach out and touch” your application • Web: Mostly in the HTTP request: URL, parameters, headers (cookies) • Mobile, IoT: More complicated • We will focus on web today • Target for dynamic testing • Automated DAST • Manual assessment/penetration testing 9
  • 11. © 2016 Denim Group – All Rights Reserved What Does Attack Surface Have to Do With DevOps? • If you want your talk to be accepted, it has to have DevOps in the title • Let’s look at what we want from security in the DevOps pipeline 10
  • 12. © 2016 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure apps via their DevOps pipelines 11
  • 13. © 2016 Denim Group – All Rights Reserved Security in the DevOps Pipeline • Testing • Synchronous • Asynchronous • Decision • Reporting 12
  • 14. © 2016 Denim Group – All Rights Reserved Focus on Testing in DevOps Pipeline • Many security tools run too long to include in many pipeline builds • Full SAST, DAST • Security testing also includes manual testing • Which is way too slow for most pipeline builds • Tracking attack surface changes over time can help us: • Focus testing activities • Trigger testing activities 13
  • 15. © 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping • Goal: Merge the results of SAST and DAST testing • Funded via DHS S&T SBIR contracts • Facilitated the creation of our attack surface modeling engine
  • 16. © 2016 Denim Group – All Rights Reserved Department of Homeland Security Support • Currently in Phase 2 of a DHS S&T CSD SBIR • Acronyms! • DHS = Department of Homeland Security • S&T = Directorate of Science and Technology • CSD = CyberSecurity Division • SBIR = Small Business Innovation Research • Geared toward developing new technologies for Federal customers • Hybrid Analysis Mapping (HAM) • Technology has been included with ThreadFix • Has also resulted in some other released components we will talk about today • Please do not assume this talk is endorsed by DHS • This is just me talking about what we have done
  • 17. © 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) • Initial goal: Correlate and merge results from SAST and DAST • After we made that work, we found other stuff we could do with the technology 16
  • 18. © 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) • Determine the feasibility of developing a system that can reliably and efficiently correlate and merge the results of automated static and dynamic security scans of web applications. HP Fortify SCA IBM AppScan Standard 17
  • 19. © 2016 Denim Group – All Rights Reserved Dynamic Application Security Testing (DAST) • Spider to enumerate attack surface • Crawl the site like Google would • But with authentication / session detection • Fuzz to identify vulnerabilities based on analysis of request/response patterns • If you send a SQL control character and get a JDBC error message back, that could indicate a SQL injection vulnerability • A finding looks like (CWE, relative URL, [entry point]) 18
  • 20. © 2016 Denim Group – All Rights Reserved Static Application Security Testing (SAST) • Use source or binary to create a model of the application • Kind of like a compiler or VM • Perform analysis to identify vulnerabilities and weaknesses • Data flow, control flow, semantic, etc • A finding looks like (CWE, code/data flow) 19
  • 21. © 2016 Denim Group – All Rights Reserved Hybrid Analysis Mapping Sub- Goals • Standardize vulnerability types • Settled on MITRE Common Weakness Enumeration (CWE) • Match dynamic and static locations • Use knowledge of language/web framework to build attack surface database • Improve static parameter parsing • Parse out of source code to match with DAST result 20
  • 22. © 2016 Denim Group – All Rights Reserved Information Used • Source Code • Git, Subversion, Local Copy • Framework Type • Java: JSP, Spring, Struts • C#: .NET WebForms, .NET MVC • Ruby: Rails • PHP: in progress • Extra information from SAST results (if available) 21
  • 23. © 2016 Denim Group – All Rights Reserved Unified Endpoint Database • EndpointQuery • dynamicPath • staticPath • Parameter • httpMethod • codePoints [List<CodePoint>] • informationSourceType • EndpointDatabase • findBestMatch(EndpointQuery query): Endpoint • findAllMatches(EndpointQuery query): Set<Endpoint> • getFrameworkType(): FrameworkType
  • 24. © 2016 Denim Group – All Rights Reserved Merging SAST and DAST Results • I have a DAST result: • (“Reflected XSS”, /login.jsp, “username” parameter) • Query the Endpoint Database: • Entry point is com.something.something.LoginController.java, line 62 • Search the other findings for SAST results like: • (“Reflected XSS”, source at com.something.something.LoginController.java, line 62) • If you find a match – correlate those two findings • Magic!
  • 25. © 2016 Denim Group – All Rights Reserved That’s Great But I Want More • So our research produced a successful/valuable outcome • Hooray • But – given these data structures, what else can we do? • From an EndpointDatabase we can: • Get all of the application’s attack surface • Map DAST results to a specific line of code • Given those capabilities we can: • Pre-seed scanners with attack surface • Map DAST results to lines of code in a developer IDE • Map DAST results to lines of code in SonarQube
  • 26. © 2016 Denim Group – All Rights Reserved Scanner Seeding • What if we could give the DAST spidering process a head start? • Pre-seed with all of the attack surface • Landing pages that link in to the application • Hidden directories • Backdoor or “unused” parameters • Currently have plugins for OWASP ZAP and BurpSuite • Plugin for IBM Rational AppScan Standard is in progress https://github.com/denimgroup/threadfix/wiki/Scanner-­Plugins
  • 27. © 2016 Denim Group – All Rights Reserved Final Thoughts on SBIR Work with DHS S&T • Great use of the SBIR program • In my humble and totally unbiased opinion • Proved to be the tipping point to developing HAM • HAM was interesting, but required material investment • Research produced a successful outcome (we think) • We found other things we could do with the technology • Released much of it open source to increase adoption
  • 28. © 2016 Denim Group – All Rights Reserved Getting the Plugin • Main ThreadFix site • https://github.com/denimgroup/threadfix/ • ThreadFix build instructions • https://github.com/denimgroup/threadfix/wiki/Development- Environment-Setup • “Running ThreadFix Without an IDE” • Download plugins from ThreadFix
  • 29. © 2016 Denim Group – All Rights Reserved Plugin Installation Instructions • OWASP ZAP plugin installation instructions • https://github.com/denimgroup/threadfix/wiki/Zap-Plugin • Plugins also available for: • Portswigger BurpSuite Professional • IBM Rational AppScan (soon)
  • 30. © 2016 Denim Group – All Rights Reserved Attack Surface Enumeration • Find all of the attack surface • URLs • Parameters that will change application behavior • Future: Cookies, other HTTP headers • Why is this a problem? • Hidden landing pages • Multi-step processes that automated crawls don’t traverse • Unknown parameters • Debug/backdoor parameters (will discuss this further) • Great for REST APIs support single-page web applications and mobile applications
  • 31. © 2016 Denim Group – All Rights Reserved Attack Surface Enumeration Benefits • Reduce false negatives from scanners • Better coverage for standard fuzzing • Pen test all of the application
  • 32. © 2016 Denim Group – All Rights Reserved Endpoints CLI Notes • Syntax: java –jar [jar-name].jar /path/to/source • JAR name will change based on build ID • After Maven build, can also be found in: $GIT/threadfix/threadfix-cli- endpoints/target/ • You want the ”-jar-with-dependencies” JAR • Will output list of HTTP methods, URLs and parameters based on analysis of the source code • Attack surface! • Add “-json” to the end of the command to get output in JSON format • Easier to manipulate
  • 33. © 2016 Denim Group – All Rights Reserved Command Line Demo
  • 34. © 2016 Denim Group – All Rights Reserved Scanner Attack Surface Seeding Demo
  • 35. © 2016 Denim Group – All Rights Reserved Attack Surface Visualization Demo 34
  • 36. © 2016 Denim Group – All Rights Reserved Attack Surface Comparison Visualization Demo 35
  • 37. © 2016 Denim Group – All Rights Reserved Diffing Attack Surface Demo 36
  • 38. © 2016 Denim Group – All Rights Reserved Applications for DevOps Pipelines • Target DAST testing to focus on new attack surface in latest build • “Run an authenticated ZAP scan against the three new URLs added in the last commit” • Set thresholds for when manual assessment/penetration testing is triggered • “Schedule a manual penetration test when the attack surface has increased by 10 URLs” • “Schedule a manual penetration test when the attack surface has increased by 5%” • Focus those efforts on new attack surface • ChatOps: Attack surface delta notifications on commit • “Commit beb78c835706efe5d619148b9a8dc9e35ee9572b added attack surface: /advanced.jsp, /preferenes.jsp” 37
  • 39. © 2016 Denim Group – All Rights Reserved Next Steps • Expand the model of application attack surface • Currently: Parameters, HTTP verbs • Working on: HTTP headers (cookies) • Future: Other application types: Mobile, IoT • Better visualization • More details • Better granularity • Native integrations: Jenkins, Slack, HipChat, etc • This is kind of “scripty” right now 38
  • 40. © 2016 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.it 39