[rakuten techconf2014] [fukuoka] security checking which is as a part of continuous integration

Security Checking,

as a part of

Continuous Integration

Rakuten Technology Conference

2014

@ FUKUOKA

Who am I ?

Masanori Fujisaki

Twitter: @fujisaki_hb

Facebook: fujisaki.masanori

Founder & CEO

HEARBTEATS Corp. ( since April, 2005)

Walti, Inc. ( since July, 2014 )

Entrepreneur & Infrastructure Engineer

I was born in Iiduka, Fukuoka,

and grew up in Kitakyusyu, Fukuoka,

and now live in Shibuya, Tokyo.

Who am I ?

Masanori Fujisaki

Twitter: @fujisaki_hb

Facebook: fujisaki.masanori

Founder & CEO

HEARBTEATS Corp. ( since April, 2005)

Walti, Inc. ( since July, 2014 )

Entrepreneur & Infrastructure Engineer

I was born in Iiduka, Fukuoka,

and grew up in Kitakyusyu, Fukuoka,

and now live in Shibuya, Tokyo.

Today’s Topics

1. Recent Security Incidents.

2. Why you need to do security checking as a part of

Continuous Integration.

3. Some Open Source Security Check Tools

4. Some Security Communities and Organizations

5. About Walti.io

Recent Security

Incidents(1)

Environmental Pattern..

Recent Security

Incidents(1)

Environmental Pattern..

Heartbleed

OpenSSL

http://heartbleed.com/

Recent Security

Incidents(1)

Environmental Pattern..

Heartbleed

OpenSSL

http://heartbleed.com/

ShellShock

Bash

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Recent Security

Incidents(1)

Environmental Pattern..

Heartbleed

OpenSSL

http://heartbleed.com/

ShellShock

Bash

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

POODLE

SSL3.0 protocol

https://www.openssl.org/~bodo/ssl-poodle.pdf

Recent Security

Incidents(2)

DDoS Pattern..

Recent Security

Incidents(2)

DDoS Pattern..

NTP Amplification Attack

CloudFlare 400Gbps

http://blog.cloudflare.com/technical-details-behind-a-

400gbps-ntp-amplification-ddos-attack/

Recent Security

Incidents(2)

DDoS Pattern..

NTP Amplification Attack

CloudFlare 400Gbps

http://blog.cloudflare.com/technical-details-behind-a-

400gbps-ntp-amplification-ddos-attack/

DNS Amplification Attack

DNS Open Resolver

https://www.us-cert.gov/ncas/alerts/TA13-088A

Recent Security

Incidents(2)

DDoS Pattern..

NTP Amplification Attack

CloudFlare 400Gbps

http://blog.cloudflare.com/technical-details-behind-a-

400gbps-ntp-amplification-ddos-attack/

DNS Amplification Attack

DNS Open Resolver

https://www.us-cert.gov/ncas/alerts/TA13-088A

UPnP Device-Based Reflection Attack

http://www.akamai.co.jp/enja/html/about/press/releases/2014/

press-101514-2.html

One of the Solutions

Inbound Port 53 Blocking

Inbound Port 123 Blocking

http://www.kddi.com/important-news/20140825/

Recent Security

Incidents(3)

Frameworks

Struts

https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html

Rails

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3514

One of the Solutions

Request Pattern blocking by URL Filter or IDS/IDP

This means…

Security Issues occur to each layer.

We always need to do security updating.

We have to develop secure applications.

We have to manage infrastructure securely.

This means…

Security Issues occur to each layer.

We always need to do security updating.

We have to develop secure applications.

We have to manage infrastructure securely.

You can not do those by yourself.

TEST

TEST

Old Style TEST

You test your application before release.

TEST

Old Style TEST

You test your application before release.

Modern Style TEST

You constantly test by CI Tools.

Security Check

Security Check

Old Style Security Check

You only check your application security before

release.

Security Check

Old Style Security Check

You only check your application security before

release.

Modern Style Security Check

You constantly check your app security by CI Tools.

Security Check,

as a part of

Continuous Integration.

Continuous Integration

Security Checking

develop

testdeploy

Continuous Integration

Security Checking

develop

testdeploy

develop

Test

deploy to staging

Security check

deploy to production

Security Checking by OSS,

as a part of

Continuous Integration

for Web Application

for Web Application

OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

zapper

https://github.com/adedayo/zapper

for Web Application

OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

zapper

https://github.com/adedayo/zapper

Skipfishhttps://code.google.com/p/skipfish/

shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf

for Web Application

OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

zapper

https://github.com/adedayo/zapper

Skipfishhttps://code.google.com/p/skipfish/

shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf

Wapitihttp://wapiti.sourceforge.net/

for Infrastructure

for Infrastructure

nmaphttp://nmap.org/

for Firewall / netfilter

for Infrastructure

nmaphttp://nmap.org/

for Firewall / netfilter

niktohttps://www.cirt.net/Nikto2

for Web Server

for Infrastructure

nmaphttp://nmap.org/

for Firewall / netfilter

niktohttps://www.cirt.net/Nikto2

for Web Server

sslyzehttps://github.com/nabla-c0d3/sslyze

for HTTPS setting

for Infrastructure

nmaphttp://nmap.org/

for Firewall / netfilter

niktohttps://www.cirt.net/Nikto2

for Web Server

sslyzehttps://github.com/nabla-c0d3/sslyze

for HTTPS setting

Metasploithttp://www.metasploit.com/

All in one

CI Tools

CI Tools

JenkinsAn extendable open source Continuous Integration server

http://jenkins-ci.org/

CI Tools

JenkinsAn extendable open source Continuous Integration server

http://jenkins-ci.org/

Mozilla MinionAn open source Security Automation platform.

https://wiki.mozilla.org/Security/Projects/Minion

http://heartbeats.jp/hbblog/2013/08/minion.html

Security Communities &

Organizations

OWASP

The Open Web Application Security Project (OWASP)https://www.owasp.org/

the free and open software security community

Japan Chapterhttps://www.owasp.org/index.php/Japan

OWASP Top 10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

MITRE

MITREa not-for-profit organization that operates multiple federally funded

research and development centers

http://www.mitre.org/

CWECommon Weakness Enumeration

http://cwe.mitre.org/

used by NIST, OWASP Top 10 project, etc…

CSIRT

CSIRTComputer Security Incident Response Team

CERT/CC

JPCERT/CC

NIRT（National Incident Response Team）

Nippon CSIRT Association

http://www.nca.gr.jp/

Japan MSP Association

Japan MSP Association

( To be Founded on November 1, 2014 )

How can you do Security

Checking Easily by OSS,

as a part of

Continuous Integration?

I have one proposal.

Walti.io

Walti.io is…

https://walti.io/

Continuous Server-side Security Scanner

Run Scans Easily from Dashboard

Team-based Web Safety Protection

Continuous Security Management

API Support

Impressive Low Cost

Scanners in Walti.io

Portscan ¥10/scan

Nikto ¥10/scan

Sslyze ¥5/scan

Skipfish ¥100/scan

develop

Test

deploy to staging

Security check

deploy to production

Demo

https://beta.walti.io/

Today’s Summary

1. Recent Security Incidences

2. Why you need to do security checking as a part of

Continuous Integration.

3. Some Open Source Security Check Tools

4. Some Security Communities and Organizations

5. About Walti.io

Q & A

Thank you.