Transcription
Thanks to Swisscomwww.swisscom.com@Swisscom de
The OWASP Foundationhttps://www.owasp.orgS-SDLC – Ready for Clouds?Robert Schneiderrobert.schneider@owasp.org
Robert SchneiderICT Security Officer @Swisscom IT Servicesrobert.schneider@owasp.org@schattenbaum chwww.schattenbaum.chwww.owasp.ch
Table of Contents1. Introduction2. PhasesPurposePossible candidatesPitfalls3. Wrap up4. Questions & Open discussion4
DisclaimerThis talk is not going to be aboutSDLC basics (Waterfall, Agile SWDevelopment, Sprints, )Checks for malicious behaviour(additional features to assure this)5
IntroductionWhat are we building?6
7
8
Code ReviewCIIDEUnit TestingSCMVuln. Scan9
IntroductionWhat do we have to keep in mind?Wide range of coding language supportCI: Jenkins / Bamboo / SCM: GIT / SVN / Traceability (Logging)Multiuser & -tenant10
IntroductionWhat do we want to achieve?As much automation as possibleDevelopers are integrated inautomated monitoringAs few additional effort for developersas possibleEarly detection of software flaws11
Code ReviewCIIDEL&SUnit TestingSCMVuln. ScanIP Scan12
IntroductionThis should help us to achieveA secure cloud13
Phases1. Intellectual Property Scan2. Code Review3. Vulnerability Scanning4. Stress & Load Testing14
INTELLECTUAL PROPERTY SCAN15
IP ScanWho is using Open Source Software (OSS)?16
IP ScanWhat OSS components do you use?In which version?17
IP ScanAre you sure that you know them all?Even snippets?18
IP ScanHas Security approved the use of them?Legal as well?19
IP ScanAre you allowed to contribute your work?If yes:What are you allowed to contributeback to the community?How are you allowed to do that?20
IP ScanIs one of the used components vulnerableto a CVE?21
Possible candidatesPalamidaOpen LogicBlack Duck22
WWW.OHLOH.NET23
PitfallsProcesses of different operation units donot merge as easy as you would likethem to.You may need additional employees.Do you allow the tool to connect to theinternet and transmit data?What do you do after you know yourproblems?24
CODE REVIEW25
Code ReviewDetect software flaws as early aspossibleEven some bad coding practices26
Code ReviewLong-term benefitsDevelopers get to know what actually tolook for andKnow how to prevent these flaws fromthe beginning27
Code ReviewTime & budget saving28
Possible candidatesSonatypeHP FortifyDefensecode ThunderScanCheckmarxSee also www.owasp.org29
PitfallsTraining neededFalse Positives & NegativesDevelopers do not see the tool as animprovementManagement does not see thelong-term benefits30
WHAT ABOUT BINARIES?31
Binaries?VeracodeBig players are using itPlaced in the USAYour data does not stay at “home”32
VULNERABILITY SCANNING33
Vulnerability ScanningIs the ready-to-deploy applicationstill vulnerable?34
Vulnerability ScanningThis phase is comparable to anautomated Penetration test.35
36
Vulnerability ScanningPre-deploymentAgain checking for OWASP Top 10 andEven the flaws we have not been ableto test for during phase 237
Possible candidatesWhiteHat Security SentinelQuotium SeekerHP WebInspectDefensecode Web Security ScannerCenzic HailstormBurp Suite ProAcunetix38
WebSocketsBurp Suite Pro (v1.5.21)39
PitfallsTraining neededFalse Positives & Negatives“Automated” deployment of applicationsneeded (Sandbox?)Fixing times40
STRESS & LOAD TESTING41
S & L TestingHow does it scale?Will the software “ruin” us when westart using it in the cloud?42
Possible candidatesProxy SnifferOpenSTALoadrunnerJMeter43
PitfallsAutomation probably impossible due tothe need of user scripts.You may miss an important use caseand therefore get an inaccuratefeedback.Testing environmentTesting data44
WRAP UP45
Wrap upTo be ready for clouds you do not needsomething completely new according tothe S-SDLC.However, you have to be aware thatyour software may not get accepted onevery cloud as easy as you might think.46
Wrap upIn a first step, try to find the one phasethat improves your S-SDLC the most.1.2.3.4.Intellectual Property ScanCode ReviewVulnerability ScanningStress & Load Testing47
Wrap upIntellectual Property Scan BenefitsKnow what OSS you are using andKnow their Licenses48
Wrap upCode Review BenefitsDetect software flaws as early aspossibleEven some bad coding practices49
Wrap upVulnerability Scanning BenefitsKnow if the ready-to-deploy applicationis still vulnerable50
Wrap upStress & Load Testing BenefitsKnow how the application scales51
RecommendationDev. & Sec. Code ReviewLegal IP ScanSecurity Vulnerability ScanningOperation Stress & Load Testing52
Wrap upTry to help and not to annoy by adaptingthe S-SDLC.You need feedback forimprovements!53
QUESTIONS & OPEN DISCUSSION54
Keep up to date!55
Want to support OWASP?Become member, annual donation of: 50 Individual 5000 Corporateenables the support of OWASP projects, mailinglists, conferences, podcasts, grants and globalstrategic focus56
Feb 19, 2014 · Who is using Open Source Software (OSS)? 16 . IP Scan What OSS components do you use? In which version? 17 . . Palamida Open Logic Black Duck 22 . WWW.OHLOH.NET 23 . Pitfalls . QUESTIONS & OPEN DISCUSSION 54 . 55 Keep up to date! 56 Want to support OWASP?