1 of 22

Beating the Clock �Using AppSec Testing Tools and DevSecOps��Bhushan Gupta�Gupta Consulting, LLC.�www.bgupta.com�����

Copyright Gupta Consulting, LLC. www.bgupta.com

1

09/23/2021

2 of 22

About Me

Copyright Gupta Consulting, LLC. www.bgupta.com

2

09/23/2021

Vegetarian

3 of 22

Agenda

  • Testing Web Application Security in Agile Development
  • Role of Tools and Criteria For a Tool Selection
  • Zed Attack Proxy (ZAP) Characteristics
  • Using ZAP in Standalone Environment – Setup Guidelines and Demo
  • Integrating ZAP with CI/CD ( Jenkins)
  • Conclusion

Copyright Gupta Consulting, LLC. www.bgupta.com

3

09/23/2021

4 of 22

Achieving High Web Application Security – A Daunting Task

System Elements Relevant to Security

  • Application Platform – Operating System
  • Development Environment – Platform (Java, J2EE), 3rd Party Software including Open Source
  • Application development (SDLC) – From Requirements to Release
  • Best Practices – Configuration, Hardening, Coding Standards

Copyright Gupta Consulting, LLC. www.bgupta.com

4

09/23/2021

5 of 22

Implementation

© Gupta Consulting LLC. www.bgupta.com

5

09/23/2021

SAST

Security + Dev Engineer

PenTest

Security + QA

DAST

Security + Dev Engineer

Security Story Testing

Security Engineer+QA

Security Controls

Security + Dev Engineer

6 of 22

Lifecycle of a Security Story in an Iteration

Copyright Gupta Consulting, LLC. www.bgupta.com

6

09/23/2021

Story Development

  • Develop Acceptance Criteria
  • Define Security Controls
  • Plan Security Validation

Code Development

  • Code Review
  • System Hardening
  • SAST (Integrated with CI/CD)

Validation (Red, Blue Teaming)

  • SAST, DAST
  • Security Testing

System validation

  • PenTest
  • Risk Assessment
  • Risk Mitigation

7 of 22

Security Controls – Checks and Balances

Copyright Gupta Consulting, LLC. www.bgupta.com

7

09/23/2021

Database Server

Data

WEB Server

Data in transit

Portal

Hide Data Entry

Maintain data confidentiality

  1. Accurate Data
  2. Integrity Maintained
  3. Only Authorized Access
  1. Do not display Critical data
  2. Sanitize User Input
  1. Secure Socket Layer
  2. Encrypted Data
  1. Validate Data
  2. Encrypt Data
  3. Adequate Access Control

8 of 22

Testing Strategy along SDLC

Copyright Gupta Consulting, LLC. www.bgupta.com

8

09/23/2021

Code State

Static

(Source, Object)

Dynamic

(Executable

Design and Coding Security Risks

  1. Quick Assessment using scanners
  2. Formal Security Requirements Testing
  3. Penetration

9 of 22

Static Application Security Testing�(SAST)

Copyright Gupta Consulting, LLC. www.bgupta.com

9

09/23/2021

Development Environment

Access Rights (Process & User)

Input Validation

Runtime Environment

Design and Code Reviews

Limited Tools

10 of 22

Dynamic Application Security Testing�(DAST)

Copyright Gupta Consulting, LLC. www.bgupta.com

10

09/23/2021

Code State Executable

  1. Security Control Testing (Functional)
  2. Penetration – Specialized Testing

Tools Available:

Popular Automation Tools

Security Specific Tool - Scanner

(Open Source / Commercial)

11 of 22

Common Tool Selection Criteria

  • Functionality
  • Reporting
  • Support
  • Commercial Considerations

Ref: Brian Myers, Starting a Security Program on a Shoestring Pacific Northwest Software Quality Conference, 2019

Copyright Gupta Consulting, LLC. www.bgupta.com

11

09/23/2021

12 of 22

Zed Attack Proxy (ZAP)

  • Scanner by OWASP (Open Web Application Security Project)
  • Comprehensive
  • Large user base – problems and limitations are exposed
  • Free of cost
  • Can be integrated into CI/CD

Copyright Gupta Consulting, LLC. www.bgupta.com

12

09/23/2021

13 of 22

ZAP Features

  • Automated Scanning
  • Intercepting Proxy
  • Brute Force Scanning
  • Fuzzing
  • Port Scanning
  • Advanced SQL Injection Testing
  • Integration with DevOps Tools

Copyright Gupta Consulting, LLC. www.bgupta.com

13

09/23/2021

14 of 22

ZAP Charactristics

  • Intercepting Proxy Tools

  • Can be used as standalone or as a daemon process
  • Inspects the packets and sends it to the browser
  • Can work with another proxy running in your environment

@Gupta Consulting, LLC. www.bgupta.com

14

9/23/2021

Application

Browser

Tool

Application

Browser

Tool

Proxy

15 of 22

ZAP in Action - Demo

Copyright Gupta Consulting, LLC. www.bgupta.com

15

09/23/2021

16 of 22

Integrating ZAP with Jenkins

Copyright Gupta Consulting, LLC. www.bgupta.com

16

09/23/2021

Grégoire Willmann

https://medium.com/@Gr3g0ire/automatic-security-tests-in-jenkins-with-owasp-zap-d81bdb8e65d6

17 of 22

ZAP with Jenkins – Lessons Leraned

  • Run Jenkins as a service to keep it contained
  • ZAP plugin configuration is critical
  • Customize to your needs

Copyright Gupta Consulting, LLC. www.bgupta.com

17

09/23/2021

18 of 22

A look at ZAP – Jenkins Integration

Copyright Gupta Consulting, LLC. www.bgupta.com

18

09/23/2021

19 of 22

Holistic Security Test Approach

Copyright Gupta Consulting, LLC. www.bgupta.com

19

09/23/2021

As a customer I want to buy a merchandise without revealing my credit card information

  • Data is encrypted with AES
  • Data is transmitted using secure protocol

Develop Test Plan / Cases

SAST

(Automate)

Desgin Review

Enhance Test Plan/Cases

Enhance Test Plan/Cases

DAST

(Automate)

Formal Security Testing

System Hardenng

Penetration

Testing

20 of 22

Why Test AppSec throughout SDLC?

Copyright Gupta Consulting, LLC. www.bgupta.com

20

09/23/2021

21 of 22

Conclusion

  • Security Testing is a complex Task
  • Manual testing is tedious and time consuming
  • Deploy test tools as much as possible
  • Test throughout the lifecycle
  • Make testing a part of your CI/CD pipeline

Copyright Gupta Consulting, LLC. www.bgupta.com

21

09/23/2021

22 of 22

Copyright Gupta Consulting, LLC. www.bgupta.com

22

09/23/2021